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Preface 

It is now 10 years ago that two of us took the train to Stockholm to meet 
Per Martin-Lof and discuss his ideas on the connection between type theory 
and computing science. This book describes different type theories (theories 
of types, polymorphic and monomorphic sets, and subsets) from a computing 
science perspective. It is intended for researchers and graduate students with 
an interest in the foundations of computing science, and it is mathematically 
self-contained. 

We started writing this book about six years ago. One reason for this long 
time is that our increasing experience in using type theory has made several 
changes of the theory necessary. We are still in this process, but have neverthe¬ 
less decided to publish the book now. 

We are, of course, greatly indebted to Per Martin-Lof; not only for creating 
the subject of this book, but also for all the discussions we have had with him. 
Beside Martin-Lof, we have discussed type theory with many people and we 
in particular want to thank Samson Abramsky, Peter Aczel, Stuart Anderson, 
Roland Backhouse, Bror Bjerner, Robert Constable, Thierry Coquand, Peter 
Dybjer, Roy Dyckhoff, Gerard Huet, Larry Paulson, Christine Paulin-Mohring, 
Anne Salvesen, Bjorn von Sydow, and Dan Synek. Thanks to Dan Synek also 
for his co-authorship of the report which the chapter on trees is based on. 

Finally, we would like to thank STU, the National Swedish Board For Tech¬ 
nical Development, for financial support. 

Bengt Nordstrom, Kent Petersson and Jan Smith 
Goteborg, Midsummer Day 1989. 
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Chapter 1 

Introduction 


In recent years several formalisms for program construction have been intro¬ 
duced. One such formalism is the type theory developed by Per Martin-Lof. It 
is well suited as a theory for program construction since it is possible to express 
both specifications and programs within the same formalism. Furthermore, the 
proof rules can be used to derive a correct program from a specification as well 
as to verify that a given program has a certain property. This book contains an 
introduction to type theory as a theory for program construction. 

As a programming language, type theory is similar to typed functional lan¬ 
guages such as Hope [18] and ML [44], but a major difference is that the evalua¬ 
tion of a well-typed program always terminates. In type theory it is also possible 
to write specifications of programming tasks as well as to develop provably cor¬ 
rect programs. Type theory is therefore more than a programming language and 
it should not be compared with programming languages, but with formalized 
programming logics such as LCF [44] and PL/CV [24]. 

Type theory was originally developed with the aim of being a clarification of 
constructive mathematics, but unlike most other formalizations of mathematics 
type theory is not based on first order predicate logic. Instead, predicate logic 
is interpreted within type theory through the correspondence between propo¬ 
sitions and sets [28, 52]. A proposition is interpreted as a set whose elements 
represent the proofs of the proposition. Hence, a false proposition is interpreted 
as the empty set and a true proposition as a non-empty set. Chapter 2 contains 
a detailed explanation of how the logical constants correspond to sets, thus ex¬ 
plaining how a proposition could be interpreted as a set. A set cannot only be 
viewed as a proposition; it is also possible to see a set as a problem description. 
This possibility is important for programming, because if a set can be seen as 
a description of a problem, it can, in particular, be used as a specification of a 
programming problem. When a set is seen as a problem, the elements of the set 
are the possible solutions to the problem; or similarly if we see the set as a spec¬ 
ification, the elements are the programs that satisfy the specification. Hence, 
set membership and program correctness are the same problem in type theory, 
and because all programs terminate, correctness means total correctness. 

One of the main differences between the type theory presentation in this 
book and the one in [69] is that we use a uniform notation for expressions. 
Per Martin-Lof has formulated a theory of mathematical expressions in general, 
which is presented in chapter 3. We describe how arbitrary mathematical ex- 
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pressions are formed and introduce an equality between expressions. We also 
show how defined constants can be introduced as abbreviations of more compli¬ 
cated expressions. 

In Part I we introduce a polymorphic version of type theory. This version is 
the same as the one presented by Martin-Lof in Hannover 1979 [69] and in his 
book Intuitionistic Type Theory [70] except that we use an intensional version 
of the equality. 

Type theory contains rules for making judgements of the following four 
forms: 

A is a set 

Ai and A 2 are equal sets 

a is an element in the set A 

oi and a 2 are equal elements in the set A 

The semantics of type theory explains what judgements of these forms mean. 
Since the meaning is explained in a manner quite different from that which is 
customary in computer science, let us first describe the context in which the 
meaning is explained. When defining a programming language, one often ex¬ 
plains its notions in terms of mathematical objects like sets and functions. Such 
a definition takes for granted the existence and understanding of these objects. 
Since type theory is intended to be a fundamental conceptual framework for the 
basic notions of constructive mathematics, it is infeasible to explain the mean¬ 
ing of type theory in terms of some other mathematical theory. The meaning of 
type theory is explained in terms of computations. The first step in this process 
is to define the syntax of programs and how they are computed. We first intro¬ 
duce the canonical expressions which are the expressions that can be the result 
of programs. When they are defined, it is possible to explain the judgements, 
first the assumption-free and then the hypothetical. A set is explained in terms 
of canonical objects and their equality relation, and when the notion of set is 
understood, the remaining judgement forms are explained. Chapter 4 contains 
a complete description of the semantics in this manner. 

The semantics of the judgement forms justifies a collection of general rules 
about assumptions, equality and substitution which is presented in chapter 5. 

In the following chapters (7 - 17), we introduce a collection of sets and 
set forming operations suitable both for mathematics and computer science. 
Together with the sets, the primitive constants and their computation rules are 
introduced. We also give the rules of a formal system for type theory. The rules 
are formulated in the style of Gentzen’s natural deduction system for predicate 
logic and are justified from 

• the semantic explanations of the judgement forms, 

• the definitions of the sets, and 

• the computation rules of the constants. 

We do not, however, present justifications of all rules, since many of the justifi¬ 
cations follow the same pattern. 

There is a major disadvantage with the set forming operations presented 
in part I because programs sometimes will contain computationally irrelevant 
parts. In order to remedy this problem we will in part II introduce rules which 
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makes it possible to form subsets. However, if we introduce subsets in the 
same way as we introduced the other set forming operations, we cannot justify 
a satisfactory elimination rule. Therefore, we define a new theory, the subset 
theory, and explain the judgements in this new theory by translating them into 
judgements in the basic theory, which we already have given meaning to in part 
I. 

In part III, we briefly describe a theory of types and show how it can be 
used as an alternative way of providing meaning to the judgement forms in 
type theory. The origin of the ideas in this chapter is Martin-Lof’s analysis 
of the notions of proposition, judgement and proof in [71]. The extension of 
type theory presented is important since it makes it possible to introduce more 
general assumptions within the given formalism. We also show how the theory 
of types could be used as a framework for defining some of the sets which were 
introduced in part I. 

In part IV we present some examples from logic and programming. We 
show how type theory can be used to prove properties of programs and also 
how to formally derive programs for given specifications. Finally we describe 
how abstract data types can be specified and implemented in type theory. 


1.1 Using type theory for programming 

Type theory, as it is used in this book, is intended as a theory for program 
construction. The programming development process starts with the task of 
the program. Often, this is just existing in the head of the programmer, but 
it can also exist explicitly as a specification that expresses what the program 
is supposed to do. The programmer, then, either directly writes down a pro¬ 
gram and proves that it satisfies the given specification, or successively derives 
a program from the specification. The first method is called program verifica¬ 
tion and the second program derivation . Type theory supports both methods 
and it is assumed that it is the programmer who bridges the gap between the 
specification and the program. 

There are many examples of correctness proofs in the literature and proofs 
done in Martin-Lof’s type theory can be found in [20, 75, 82]. A theory which 
is similar to type theory is Huet and Coquand’s Calculus of Constructions [27] 
and examples of correctness proofs in this theory can be found in [74]. 

There are fewer examples of formal program derivations in the literature. 
Manna and Waldinger have shown how to derive a unification algorithm using 
their tableau method [63] and there are examples developed in Martin-Lof’s 
type theory in Backhouse et al [6] and in the Theory of Constructions in Paulin- 
Mohring [80]. A formal derivation of the partitioning problem using type theory 
is presented in [87]; a slightly changed version of this derivation is also presented 
in chapter 22. 

In the process of formal program development, there are two different stages 
and usually two different languages involved. First, we have the specification 
process and the specification language, and then the programming process and 
the programming language. The specification process is the activity of find¬ 
ing and formulating the problem which the program is to solve. This process 
is not dealt with in this book. We assume that the programmer knows what 
problem to solve and is able to express it as a specification. A specification is 
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in type theory expressed as a set, the set of all correct programs satisfying the 
specification. The programming process is the activity of finding and formu¬ 
lating a program which satisfies the specification. In type theory, this means 
that the programmer constructs an element in the set which is expressed by the 
specification. The programs are expressed in a language which is a functional 
programming language. So it is a programming language without assignments 
and other side effects. The process of finding a program satisfying a specifica¬ 
tion can be formalized in a programming logic, which has rules for deducing 
the correctness of programs. So the formal language of type theory is used as a 
programming language, a specification language and a programming logic. 

The language for sets in type theory is similar to the type system in program¬ 
ming languages except that the language is much more expressive. Besides the 
usual set forming operations which are found in type systems of programming 
languages (Bool, A+B, A —> B, Ax B, List(^4), etc.) there are operations which 
make it possible to express properties of programs using the usual connectives 
in predicate logic. It is possible to write down a specification without knowing 
if there is a program satisfying it. Consider for example 

(3a 6 N+)(36 € N+)(3c e N+)(3n e N+)(n > 2&a” + b n = c n ) 

which is a specification of a program which computes four natural numbers such 
that Fermat’s last theorem is false. It is also possible that a specification is sat¬ 
isfied by several different programs. Trivial examples of this are “specifications” 
like N, List(N) —> List(N) etc. More important examples are the sorting problem 
(the order of the elements of the output of a sorting program should not be 
uniquely determined by the input), compilers (two compilers producing differ¬ 
ent code for the same program satisfies the same specification as long as the 
code produced computes the correct input-output relation), finding an index of 
a maximal element in an array, finding a shortest path in a graph etc. 

The language to express the elements in sets in type theory constitutes a 
typed functional programming language with lazy evaluation order. The pro¬ 
gram forming operations are divided into constructors and selectors. Construc¬ 
tors are used to construct objects in a set from other objects, examples are 0, 
succ, pair, ini, inr and A . Selectors are used as a generalized pattern matching: 
What in ML is written as 


case p of (x,y) => d 


is in type theory written as 

split(p, ( x,y)d ) 

and if we in ML define the disjoint union by 

datatype (’A,’BjDunion = ini of ’A 
then the ML-expression 

case p of inl(x) => d 
I inr(y) => e 


is in type theory written 


inr of ’B 


when(p, (x)d, (y)e) 



1.1. USING TYPE THEORY FOR PROGRAMMING 


General recursion is not available. Iteration is expressed by using the se¬ 
lectors associated with the inductively defined sets like N and List(A). For 
these sets, the selectors work as operators for primitive recursion over the set. 
For instance, to find a program /(n) on the natural numbers which solves the 
equations 

f m = d 
l /(» + !) = 

one uses the selector natrec associated with the natural numbers. The equations 
are solved by making the definition: 

f(n) = natrec (n,d, (x,y)h(x,y)) 

In order to solve recursive equations which are not primitive recursive, one must 
use the selectors of inductive types together with high order functions. Examples 
of how to obtain recursion schemas other than the primitive ones are discussed 
by Paulson in [84] and Nordstrom [77]. 

Programs in type theory are computed using lazy evaluation. This means 
that a program is considered to be evaluated if it is on the form 

c(ei,..., e n ) 

where c is a constructor and ei,. .., e n are expressions. Notice that there is no 
requirement that the expressions e\ ,..., e n must be evaluated. So, for instance, 
the expression succ(2 2 ) is considered to be evaluated, although it is not fully 
evaluated. If a program is on the form 

s(ei,...,e n ) 

where s is a selector, it is usually computed by first computing the value of the 
first argument. The constructor of this value is then used to decide which of the 
remaining arguments of s which is used to compute the value of the expression. 

When a user wants to derive a correct program from a specification, she uses 
a programming logic. The activity to derive a program is similar to proving 
a theorem in mathematics. In the top-down approach, the programmer starts 
with the task of the program and divides it into subtasks such that the programs 
solving the subtasks can be combined into a program for the given task. For 
instance, the problem of finding a program satisfying B can be reduced to finding 
a program satisfying A and a function taking an arbitrary program satisfying 
A to a program satisfying B. Similarly, the mathematician starts with the 
proposition to be proven and divides it into other propositions such that the 
proofs of them can be combined into a proof of the proposition. For instance, 
the proposition B is true if we have proofs of the propositions A and Ad B. 

Type theory is designed to be a logic for mathematical reasoning, and it is 
through the computational content of constructive proofs that it can be used 
as a programming logic (by identifying programs and proof objects). So the 
logic is rather strong; it is possible to express general mathematical problems 
and proofs. This is important for a logic which is intended to work in practice. 
We want to have a language as powerful as possible to reason about programs. 
The formal system of type theory is inherently open in that it is possible to 
introduce new type forming operations and their rules. The rules have to be 
justified using the semantics of type theory. 
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1.2 Constructive mathematics 

Constructive mathematics arose as an independent branch of mathematics out 
of the foundational crisis in the beginning of this century, mainly developed by 
Brouwer under the name intuitionism. It did not get much support because 
of the general belief that important parts of mathematics were impossible to 
develop constructively. By the work of Bishop, however, this belief has been 
shown to be wrong. In his book Foundations of Constructive Analysis [10], 
Bishop rebuilds constructively central parts of classical analysis; and he does 
it in a way that demonstrates that constructive mathematics can be as elegant 
as classical mathematics. Basic information about the fundamental ideas of 
intuitionistic mathematics is given in Dummet [33], Heyting [50], and Troelstra 
and van Dalen [108, 109]. 

The debate whether mathematics should be built up constructively or not 
need not concern us here. It is sufficient to notice that constructive mathematics 
has some fundamental notions in common with computer science, above all the 
notion of computation. This means that constructive mathematics could be an 
important source of inspiration for computer science. This was realized already 
by Bishop in [11]; Constable made a similar proposal in [23]. 

The notion of function or method is primitive in constructive mathematics 
and a function from a set A to a set B can be viewed as a program which when 
applied to an element in A gives an element in B as output. So all functions in 
constructive mathematics are computable. The notion of constructive proof is 
also closely related to the notion of computer program. To prove a proposition 
(\/x £ A)(3y £ B)P(x,y) constructively means to give a function / which when 
applied to an element a in A gives an element b in B such that P(a, b ) holds. 
So if the proposition (Vx£ A)(3y £ B)P(x,y) expresses a specification, then the 
function / obtained from the proof is a program satisfying the specification. 

A constructive proof could therefore itself be seen as a computer program 
and the process of computing the value of a program corresponds to the process 
of normalizing a proof. There is however a small disadvantage of using a con¬ 
structive proof as a program because the proof contains a lot of computationally 
irrelevant information. To get rid of this information Goto [45], Paulin-Mohring 
[80], Sato [93], Takasu [106] and Hayashi [49] have developed different tech¬ 
niques to synthesize a computer program from a constructive proof; this is also 
the main objective of the subset theory introduced in Part II of this book. Goad 
has also used the correspondence between proofs and programs to specialize a 
general program to efficient instantiations [41, 42]. 


1.3 Different formulations of type theory 

One of the basic ideas behind Martin-Lof’s type theory is the Curry-Howard 
interpretation of propositions as types, i.e. in our terminology, propositions 
as sets. This view of propositions is related both to Heyting’s explanation of 
intuitionistic logic [50] and, on a more formal level, to Kleene’s realizability 
interpretation of intuitionistic arithmetic [59]. 

Another source for type theory is proof theory. Using the identification of 
propositions and sets, normalizing a derivation is closely related to computing 
the value of the proof term corresponding to the derivation. Tait’s computability 
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method [105] from 1967 has been used for proving normalization for many dif¬ 
ferent theories; in the Proceedings of the Second Scandinavian Logic Symposium 
[38] Tait’s method is exploited in papers by Girard, Martin-Lof and Prawitz. 
One of Martin-Lof’s original aims with type theory was that it could serve as 
a framework in which other theories could be interpreted. And a normalization 
proof for type theory would then immediately give normalization for a theory 
expressed in type theory. 

In Martin-Lof’s first formulation of type theory [64] from 1971, theories 
like first order arithmetic, Godel’s T [43], second order logic and simple type 
theory [22] could easily be interpreted. However, this formulation contained a 
reflection principle expressed by a universe V and including the axiom VgV, 
which was shown by Girard to be inconsistent. Coquand and Huet’s Theory 
of Constructions [26] is closely related to the type theory in [64]: instead of 
having a universe V, they have the two types Prop and Type and the axiom 
Prop € Type. If the axiom Type £ Type is added to the theory of constructions 
it would, by Girard’s paradox, become inconsistent. 

Martin-Lof’s formulation of type theory in 1972 An Intuitionistic Theory 
of Types [66] is similar to the polymorphic and intensional set theory in this 
book. Intensional here means that the judgemental equality is understood as 
definitional equality; in particular, the equality is decidable. In the formulation 
used in this book, the judgemental equality a = b £ A depends on the set A 
and is meaningful only when both a and b are elements in A. In [66], equality 
is instead defined for two arbitrary terms in a universe of untyped terms. And 
equality is convertibility in the sense of combinatory logic. A consequence of this 
approach is that the Church-Rosser property must be proved for the convert¬ 
ibility relation. In contrast to Coquand and Huet’s Theory of Constructions, 
this formulation of type theory is predicative. So, second order logic and simple 
type theory cannot be interpreted in it. 

Although the equality between types in [66] is intensional, the term model 
obtained from the normalization proof in [66] has an extensional equality on the 
interpretation of the types. Extensional equality means the same as in ordinary 
set theory: Two sets are equal if and only if they have the same elements. To 
remedy this problem, Martin-Lof made several changes of the theory, resulting 
in the formulation from 1973 in An Intuitionistic Theory of Types: Predicative 
Part [68]. This theory is strongly monomorphic in that a new constant is in¬ 
troduced in each application of a rule. Also, conversion under lambda is not 
allowed, i.e. the rule of ^-conversion is abandoned. In this formulation of type 
theory, type checking is decidable. The concept of model for type theory and 
definitional equality are discussed in Martin-Lof [67]. 

The formulation of type theory from 1979 in Constructive Mathematics and 
Computer Programming [69] is polymorphic and extensional. One important 
difference with the earlier treatments of type theory is that normalization is not 
obtained by metamathematical reasoning. Instead, a direct semantics is given, 
based on Tait’s computability method. A consequence of the semantics is that 
a term, which is an element in a set, can be computed to normal form. For 
the semantics of this theory, lazy evaluation is essential. Because of a strong 
elimination rule for the set expressing the extensional equality, judgemental 
equality is not decidable. This theory is also the one in Intuitionistic Type 
Theory [70]. It is treated in this book and is obtained if the equality sets 
introduced in chapter 8 are expressed by the rules for Eq. It is also the theory 
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used in the Nuprl system [25] and by the group in Groningen [6]. 

In 1986, Martin-Lof put forward a framework for type theory. The framework 
is based on the notion of type and one of the primitive types is the type of sets. 
The resulting set theory is monomorphic and type checking is decidable. The 
theory of types and monomorphic sets is the topic of part III of this book. 

1.4 Implementations of programming logics 

Proofs of program correctness and formal derivations of programs soon become 
very long and tedious. It is therefore very easy to make errors in the derivations. 
So one is interested in formalizing the proofs in order to be able to mechanically 
check them and to have computerized tools to construct them. 

Several proof checkers for formal logics have been implemented. An early 
example is the AUTOMATH system [31, 30] which was designed and imple¬ 
mented by de Bruijn et al to check proofs of mathematical theorems. Quite 
large proofs were checked by the system, for example the proofs in Landau’s 
book: Grundlagen [58]. Another system which is more intended as a proof as¬ 
sistant is the Edinburgh (Cambridge) LCF system [44, 85]. In this system a 
user can construct proofs in Scotts’s logic for computable functions. The proofs 
are constructed in a goal directed fashion, starting from the proposition the user 
wants to prove and then using tactics to divide it into simpler propositions. The 
LCF system also introduced the notion of metalanguage (ML) in which the user 
could implement her own proof strategies. Based on the LCF system, a similar 
system for Martin-Lof’s type theory was implemented in Goteborg 1982 [86]. 
Another, more advanced system for type theory was developed by Constable et 
al at Cornell University [25]. 

In contrast with these systems, which were only suited for one particular 
logical theory, logical frameworks have been designed and implemented. Harper, 
Honsell and Plotkin have defined a logical framework called Edinburgh LF [48]. 
This theory was then implemented, using the Cornell Synthesizer. Paulson has 
implemented a general logic proof assistant, Isabelle [83], and type theory is 
one of the logics implemented in this framework. Huet and Coquand at INRIA 
Paris also have an implementation of their Calculus of Constructions [56]. 



Chapter 2 


The identification of sets, 
propositions and 
specifications 


The judgement 

a e A 

in type theory can be read in at least the following ways: 

• a is an element in the set A. 

• a is a proof object for the proposition A. 

• a is a program satisfying the specification A. 

• a is a solution to the problem A. 

The reason for this is that the concepts set, proposition, specification and prob¬ 
lem can be explained in the same way. 


2.1 Propositions as sets 

In order to explain how a proposition can be expressed as a set we will explain 
the intuitionistic meaning of the logical constants, specifically in the way of 
Heyting [50]. In classical mathematics, a proposition is thought of as being true 
or false independently of whether we can prove or disprove it. On the other 
hand, a proposition is constructively true only if we have a method of proving 
it. For example, classically the law of excluded middle, A V ->A, is true since 
the proposition A is either true or false. Constructively, however, a disjunction 
is true only if we can prove one of the disjuncts. Since we have no method of 
proving or disproving an arbitrary proposition A, we have no proof of A V —>A 
and therefore the law of excluded middle is not intuitionistically valid. 

So, the constructive explanations of propositions are spelled out in terms of 
proofs and not in terms of a world of mathematical objects existing indepen¬ 
dently of us. Let us first only consider implication and conjunction. 
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A proof of A D B is a function (method, program) which to each 
proof of A gives a proof of B. 

For example, in order to prove Ad A we have to give a method which to each 
proof of A gives a proof of A; the obvious choice is the method which returns 
its input as result. This is the identity function Ax.x, using the A-notation. 

A proof of A & B is a pair whose first component is a proof of A and 
whose second component is a proof of B. 

If we denote the left projection by fst, i.e. fst({a, b)) = a where (a, b) is the pair 
of a and b, Ax.fst(x) is a proof of (A & B) D A, which can be seen as follows. 
Assume that 

a; is a proof of A & B 

Since x must be a pair whose first component is a proof of A, we get 
fst(x) is a proof of A 

Hence, A x.fst(x) is a function which to each proof of ASz B gives a proof of A, 
i.e. A x.fst(x) is a proof of Ak, B D A. 

The idea behind propositions as sets is to identify a proposition with the set 
of its proofs. That a proposition is true then means that its corresponding set is 
nonempty. For implication and conjunction we get, in view of the explanations 
above, 


Ad .B is identified with A —> B, the set of functions from A to B. 


and 


A& B is identified with Ax B, the cartesian product of A and B. 

Using the A-notation, the elements in A —► B are of the form Ax.b(x), where 
b(x) £ B when x € A, and the elements in set Ax B are of the form (a, b) where 
a £ A and b £ B. 

These identifications may seem rather obvious, but, in case of implication, 
it was first observed by Curry [28] but only as a formal correspondence of the 
types of the basic combinators and the logical axioms for a language only in¬ 
volving implication. This was extended to first order intuitionistic arithmetic by 
Howard [52] in 1969. Similar ideas also occur in de Bruijn [31] and Lauchli [61]. 
Scott [97] was the first one to suggest a theory of constructions in which propo¬ 
sitions are introduced by types. The idea of using constructions to represent 
proofs is also related to recursive realizability interpretations, first developed by 
Kleene [59] for intuitionistic arithmetic and extensively used in metamathemat- 
ical investigations of constructive mathematics. 

These ideas are incorporated in Martin-Lof’s type theory, which has enough 
sets to express all the logical constants. In particular, type theory has function 
sets and cartesian products which, as we have seen, makes it possible to express 
implication and conjunction. Let us now see what set forming operations are 
needed for the remaining logical constants. 

A disjunction is constructively true only if we can prove one of the disjuncts. 
So a proof of A V B is either a proof of A or a proof of B together with the 
information of which of A or B we have a proof. Hence, 
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A V B is identified with A + B, the disjoint union of A and B. 

The elements in A + B are of the form inl(a) and inr(6), where a £ A and b £ B. 

Using = for definitional equality, we can define the negation of a proposition 
A as: 

->A = Ad T 

where T stands for absurdity, i.e. a proposition which has no proof. If we let 0 
denote the empty set, we have 

->A is identified with the set A —> 0 

using the interpretation of implication. 

For expressing propositional logic, we have only used sets (types) that are 
available in many programming languages. In order to deal with the quantifiers, 
however, we need operations defined on families of sets, i.e. sets B(x) depending 
on elements x in some set A. Heyting’s explanation of the existential quantifier 
is the following. 

A proof of (3 x£A)B(x) consists of a construction of an element a 
in the set A together with a proof of B(a). 

So, a proof of (3 x£A)B(x) is a pair whose first component a is an element in the 
set A and whose second component is a proof of B(a). The set corresponding 
to this is the disjoint union of a family of sets, denoted by (T,x£A)B(x). The 
elements in this set are pairs (a,b) where a £ A and b £ B(a). We get the 
following interpretation of the existential quantifier. 

(3a;e A)£?(x) is identified with the set ( T,x£A)B(x ) 

Finally, we have the universal quantifier. 

A proof of (Vx £ A)B(x) is a function (method, program) which to 
each element a in the set A gives a proof of B(a). 

The set corresponding to the universal quantifier is the cartesian product of a 
family of sets, denoted by (ILre A)B{x). The elements in this set are functions 
which, when applied to an element a in the set A gives an element in the set 
B(a). Hence, 

(Vx£A)B(x) is identified with the set (Ux£A)B(x). 

The elements in (n# £ A)B(x) are of the form A x.b(x) where b(x) £ B(x) for 
x £ A. 

Except the empty set, we have not yet introduced any sets that correspond 
to atomic propositions. One such set is the equality set a =a b , which expresses 
that a and b are equal elements in the set A. Recalling that a proposition is 
identified with the set of its proofs, we see that this set is nonempty if and only 
if a and b are equal. If a and b are equal elements in the set A, we postulate 
that the constant id (a) is an element in the set a =a b. This is similar to 
recursive realizability interpretations of arithmetic where one usually lets the 
natural number 0 realize a true atomic formula. 
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2.2 Propositions as tasks and specifications of 
programs 

Kolmogorov [60] suggested in 1932 that a proposition could be interpreted as a 
problem or a task in the following way. 

If A and B are tasks then 

A & B is the task of solving the tasks A and B. 

A V B is the task of solving at least one of the tasks A and B. 

Ad B is the task of solving the task B under the assumption that 
we have a solution of A. 

He showed that the laws of the constructive propositional calculus can be vali¬ 
dated by this interpretation. The interpretation can be used to specify the task 
of a program in the following way. 

A & B is a specification of programs which, when executed, yield a 
pair (a, b), where a is a program for the task A and b is a program 
for the task B. 

A V B is a specification of programs which, when executed, either 
yields ini (a) or inr(6), where a is a program for A and b is a program 
for B. 

A D B is a specification of programs which, when executed, yields 
A x.b(x), where b(x) is a program for B under the assumption that 
a; is a program for A. 

This explanation can be extended to the quantifiers: 

(Va :gA)B(x) is a specification of programs which, when executed, 
yields A x.b(x), where b(x) is a program for B(x) under the assump¬ 
tion that x is an object of A. This means that when a program for 
the problem (Vx £ A)B(x) is applied to an arbitrary object x of A, 
the result will be a program for B(x). 

(3a ;£A)B(x) specifies programs which, when executed, yields (a, b), 
where a is an object of A and b a program for B(a). So, to solve the 
task (3 xeA)B(x) it is necessary to find a method which yields an 
object a in A and a program for B(a). 

To make this into a specification language for a programming language it is 
of course necessary to add program forms which makes it possible to apply a 
function to an argument, to compute the components of a pair, to find out how 
a member of a disjoint union is built up, etc. 



Chapter 3 

Expressions and definitional 
equality 


This chapter describes a theory of expressions, abbreviations and definitional 
equality. The theory was developed by Per Martin-Lof and first presented by 
him at the Brouwer symposium in Holland, 1981; a further developed version 
of the theory was presented in Siena 1983. 

The theory is not limited to type theoretic expressions but is a general 
theory of expressions in mathematics and computer science. We shall start with 
an informal introduction of the four different expression forming operations in 
the theory, then informally introduce arities and conclude with a more formal 
treatment of the subject. 

3.1 Application 

In order to see what notions are needed when building up expressions, let us 
start by analyzing the mathematical expression 

y + sin y 

We can view this expression as being obtained by applying the binary addition 
operator + on y and sin(y), where the expression sin(y) has been obtained by 
applying the unary function sin on y. 

If we use the notation 

e(ei,...,e n ) 

for applying the expression e on ej,- e n . the expression above should be 

written 

•4-(y,sm(y)) 

and we can picture it as a syntax tree: 
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Figure 3.1: Syntax tree for the expression +(j/,sin(y)) 

Similarly, the expression (from ALGOL 68) 

while x>0 do x:=x-l; f (x) od 

is analyzed as 

while(>(x,0), 

;(:=(x, 

-(x,l) 

>. 

call(f,x) 

) 

) 

The standard analysis of expressions in Computing Science is to use syntax 
trees, i.e. to consider expressions being built up from n-ary constants using 
application. A problem with that approach is the treatment of bound variables. 

3.2 Abstraction 

In the expression 

[ (v + sin (y))dy 

the variable y serves only as a placeholder; we could equally well write 

J (u + sin (u))du or J (z + sm.(z))dz 

The only purpose of the parts dy, du and dz, respectively, is to show what 
variable is used as the placeholder. If we let □ denote a place, we could write 

^ (□ + sin(l=])) 

for the expression formed by applying the ternary integration operator f on the 
integrand □ + sin(D) and the integration limits 1 and x. The integrand has 
been obtained by functional abstraction of y from y + sin(y). We will use the 
notation 

(z)e 



3.3. COMBINATION 


15 


for the expression obtained by functional abstraction of the variable x in e, i.e. 
the expression obtained from e by looking at all free occurrences of the variable 
x in e as holes. So, the integral should be written 

+(y,sin(y))%i,x) 

Since we have introduced syntactical operations for both application and 
abstraction it is possible to express an object by different syntactical forms. An 
object which syntactically could be expressed by the expression 


could equally well be expressed by 


(( x ) e ) ( x ) 

When two expressions are syntactical synonyms, we say that they are defini- 
tionally, or intensionally, equal , and we will use the symbol = for definitional 
(intensional) equality between expressions. The definitional equality between 
the expressions above is therefore written: 

e = {{x)e){x) 

Note that definitional equality is a syntactical notion and that it has nothing 
to do with the meaning of the syntactical entities. 

We conclude with a few other examples of how to analyze common expres¬ 
sions using application and abstraction: 

t} - 

(VxeN)(a: > 0) = 

for i from 1 to n do S = 

3.3 Combination 

We have already seen examples of applications where the operator has been 
applied to more than one expression, for example in the expression +(y, sin(y) j. 
There are several possibilities to syntactically analyze this situation. It is pos¬ 
sible to understand the application operation in such a way that an operator 
in an application may be applied to any number of arguments. Another way 
is to see such an application just as a notational shorthand for a repeated use 
of a binary application operation, that is e(ei,... ,e n ) is just a shorthand for 
(... ((e(ei))... (e n )). A third way, and this is the way we shall follow, is to 
see the combination of expressions as a separate syntactical operation just as 
application and abstraction. So if ei, e-i ... and e n are expressions, we may 
form the expression 

ei, e2,..., e n 

which we call the combination of ei, e%, ... and e n . 


X;(l,n,((i)/(l,a«r(i)))) 

V(N. ((*) >(*.()))') 
/or(l,n,((i)S))) 
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Besides its obvious use in connection with functions of several arguments, 
the combination operation is also used for forming combined objects such as 
orderings 

A,< 

where A is a set and < is a reflexive, antisymmetric and transitive relation on 
A, and finite state machines, 

S, s 0 , E, S 

where S is a finite set of states, so £ S is an initial state, E an alphabet and 5 
a transition/output function. 


3.4 Selection 

Given an expression, which is a combination, we can use the syntactical opera¬ 
tion selection to retrieve its components. If e is a combination with n compo¬ 
nents, then 

(e)i 

is an expression that denotes the i’th component of e if 1 < i < n. We have the 
defining equation 


(ei,..., e n ).i = e* 


where 1 < i < n. 


3.5 Combinations with named components 

The components of the combinations we have introduced so far have been de¬ 
termined by their position in the combination. In many situations it is much 
more convenient to use names to distinguish the components. We will therefore 
also introduce a variant where we form a combination not only of expressions 
but also of names that will identify the components. If ei, e-2 ... and e n are 
expressions and i\, (^ ... and i n , (n > 1), are different names, then we can form 
the expression 

i\ '• e U i 2 • 62 5 • • • 5 

which we call a combination with named components. 

To retrieve a component from a combination with named components, the 
name of the component, of course, is used instead of the position number. So if 
e is a combination with names i\ , ..., i n , then 

(where ij is one of i ±,..., i n ) is an expression that denotes the component with 
name ij. 

We will not need combinations with named components in this monograph 
and will not explore them further. 




3.6. ARITIES 


17 


3.6 Arities 

From the examples above, it seems perhaps natural to let expressions in general 
be built up from variables and primitive constants by means of abstraction, 
application, combination and selection without any restrictions. This is also 
the analysis, leaving out combinations, made by Church and Curry and their 
followers in combinatory logic. 

However, there are unnatural consequences of this way of defining expres¬ 
sions. One is that you may apply, e.g., the expression succ, representing the 
successor function, on a combination with arbitrarily many components and 
form expressions like succ(a;i,£2,*3), although the successor function only has 
one argument. You may also select a component from an expression which is not 
a combination, or select the m’th component (m > n) from a combination with 
only n components. Another consequence is that self-application is allowed; 
you may form expressions like succ(succ). Self-application, together with the 
defining equation for abstraction: 

((x)d)(e) = d[x := e] 

where d[x := e] denotes the result of substituting e for all free occurrences of 
x in d, leads to expressions in which definitions cannot be eliminated. This is 
seen by the well-known example 

((a;)a;(a;))((a;)a;(a;)) f§ ((a:)a:(x))((a:)a:(x)) = ... 

From Church [21] we also know that if expressions and definitional equality 
are analyzed in this way, it will not be decidable whether two expressions are 
definitionally equal or not. This will have effect on the usage of a formal system 
of proof rules since it must be mechanically decidable if a proof rule is properly 
applied. For instance, in Modus Ponens 

AdB A 
B 

it would be infeasible to require anything but that the implicand of the first 
premise is definitionally equal to the second premise. Therefore, definitional 
equality must be decidable and definitions should be eliminable. The analysis 
given in combinatory logic of these concepts is thus not acceptable for our 
purposes. Per Martin-Lof has suggested, by going back to Frege [39], that with 
each expression there should be associated an arity, showing the “functionality” 
of the expression. Instead of just having one syntactical category of expressions, 
as in combinatory logic, the expressions are divided into different categories 
according to which syntactical operations are applicable. The arities are similar 
to the types in typed A-calculus, at least from a formal point of view. 

An expression is either combined , in which case it is possible to select com¬ 
ponents from it, or it is single. Another division is between unsaturated ex¬ 
pressions, which can be operators in applications, and saturated expressions, 
which cannot. The expressions which are both single and saturated have arity 
0, and neither application nor selection can be performed on such expressions. 
The unsaturated expressions have arities of the form (a—»/3), where a and 0 
are arities; such expressions may be applied to expressions of arity a and the 
application gets arity 0. For instance, the expression sin has arity (0—»0) and 
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may be applied to a variable x of arity 0 to form the expression sin(a;) of arity 
0. The combined expressions have arities of the form (ai® ... ®a n ), and from 
expressions of this arity, one may select the i'th. component if 1 < i < n. The 
selected component is, of course, of arity a*. For instance, an ordering A, < has 
arity (0®((0®0)—»0)). 

So we make the definition: 

Definition 1 The arities are inductively defined as follows 

1. 0 is an arity; the arity of single, saturated expressions. 

2. If a\,... ,a n (n> 2 ) are arities, then (ai® • • • ®a„) is an arity; the arity 
of a combined expression. 

3. If a and (3 are arities, then (a—»/3) is an arity; the arity of unsaturated 
expressions. 

The inductive clauses generate different arities; two arities are equal only if they 
are syntactically identical. The arities will often be written without parentheses; 
in case of conflict, like in 


0 —» 0®0 

—» will have lower priority than ®. The arity above should therefore be under¬ 
stood as 


( 0 -*( 0 ® 0 )) 

We always assume that every variable and every primitive (predefined) constant 
has a unique arity associated with it. 

The arities of some of the variables and constants we have used above are: 


Expression 

Arity 

y 

0 

X 

0 

1 

0 

sin 

0^0 

succ 

0^0 

+ 

0®0—»0 

I 

((0^0)®0®0)^0 


From the rules of forming expressions of a certain arity, which we will give, it 
is easy to derive the arities 


Expression 

Arity 

sin (y) 

0 

+(y,sin(y)) 

0 

(y) + (2/1 sin(y)) 

0^0 

f((y) + (y,sm(y)),l,x) 

0 

succ(x) 

0 


However, neither succ(succ) nor succ (a:) (a:) can be formed, since succ can only 
be applied to expressions of arity 0 and succ(x) is a complete expression which 
can not be applied to any expression whatsoever. 
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3.7 Definitions 

We allow abbreviatory definitions (macros) of the form 
c = e 

where c is a unique identifier and e is an expression without free variables. We 
will often write 

c(x 1 ,x 2 ,...,x n ) = e 

instead of 

c = (xi,X2, ■ ■ ■ ,x n )e 

In a definition, the left hand side is called definiendum and the right hand 
side definiens. 

3.8 Definition of what an expression of a certain 
arity is 

In the rest of this chapter, we will explain how expressions are built up from 
variables and primitive constants, each with an arity, and explain when two 
expressions are (definitionally, intensionally) equal. 

1. Variables. If x is a variable of arity a, then 


is an expression of arity a. 

2. Primitive constants. If c is a primitive constant of arity a , then 


is an expression of arity a. 

3. Defined constants. If, in an abbreviatory definition, the definiens is an 
expression of arity a, then so is the definiendum. 

4. Application. If d is an expression of arity a—»/3 and a is an expression of 
arity a, then 

d(a) 

is an expression of arity p. 

5. Abstraction. If b is an expression of arity p and x a variable of arity a, 
then 

((x)b) 

is an expression of arity a—»/3. In cases where no ambiguities can occur, 
we will remove the outermost parenthesis. 
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6. Combination. If ai is an expression of arity a- t , a 2 is an expression of arity 
a 2, ... and a n is an expression of arity a n , 2 < n, then 

CL\ , CZ-2 ? • • • j Cl n 

is an expression of arity ai®«2® ■ ■ • ®a n . 

7. Selection. If a is an expression of arity oq® • • • ®a n and 1 < i < n, then 

(a)i 


is an expression of arity a». 


3.9 Definition of equality between two expres¬ 
sions 

We will use the notation a : a for a is an expression of arity a and a = b : a for 
a and b are equal expressions of arity a. 

1. Variables. If a; is a variable of arity a, then 

x = x : a 

2. Constants. If c is a constant of arity a, then 

c = c: a 

3. Definiendum = Dejiniens. If a is a definiendum with definiens b of arity 
a, then 

a = b:a 

4. Application 1. If o = a' : a—»/3 and b = b' : a, then 

a(b) m a!(V) : 0 

5. Application 2. (0-rule). If a; is a variable of arity a, a an expression of 
arity a and b an expression of arity 0, then 

((x)b)(a) = b[x := a] : 0 

provided that no free variables in a becomes bound in b[x := a]. 

6. Abstraction 1. ((,-rule). If a: is a variable of arity a and b=b':0, then 

(x)b = (x)b' : a—»0 

7. Abstraction 2. (a-rule). If x and y are variables of arity a and b : 0, then 

(x)b = ( y)(b[x := y\) : a^0 


provided that y does not occur free in b. 
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8. Abstraction 3. (rj-rule). If a; is a variable of arity a and b is an expression 
of arity a—»/3, then 

(x)(b(x)) = b : a—»/3 
provided that x does not occur free in b. 

9. Combination 1. If a\ = a' x : cu, a-2 = a' 2 : 012 , ■ • ■ and a n = a' n : a n , then 

01,02,..., a n = a^, a' 2 ,..., a' n : ■ • • ®a n 

10. Combination 2. If e : ai® • • • ®a n then 

(e).l, (e).2,..., (e).n = e : ai® • • • 


11. Selection 1. If a = a’ : oq® • • • ®a„ and 1 < i < n, then 


{a).i = (a').i: a* 

12. Selection 2. If a\ : ai,..., a n : a n and 1 < i < n then 
(ai,. ..a n ).i = ai\ai 


13. Reflexivity. If a : a, then a = a: a. 

14. Symmetry. If a = b : a, then b = a : a. 

15. Transitivity. If a = b : a and b = c : a, then a = c : a. 

From a formal point of view, this is similar to typed A-calculus. The proof 
of the decidability of equality in typed A-calculus can be modified to yield a 
proof of decidability of =. It is also possible to define a normal form such that 
an expression on normal form does not contain any subexpressions of the forms 
((x)b)(a) and (ai,... ,a n ).i. It is then possible to prove that every expression 
is definitionally equal to an expression on normal form. Such a normalization 
theorem, leaving out combinations, is proved in Bjerner [14]. 

A note on the concrete syntax used in this book 

When we are writing expressions in type theory we are not going to restrict 
ourselves to prefix constants but will use a more liberal syntax. We will freely 
use parentheses for grouping and will in general introduce new syntax by explicit 
definitions, like 


(nxeA)B(x) = u(A,B) 

If x is a variable of arity oq® • • • ®a„ we will often use a form of pattern 
matching and write 

(aq,..., x n )e 

instead of (a:)e and, correspondingly, write x t instead of x.i for occurrences of 
x.i in the expression e. 
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Part I 

Polymorphic sets 
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Chapter 4 

The semantics of the 
judgement forms 


In the previous chapter, we presented a theory of expressions which is the syn¬ 
tactical basis of type theory. We will now proceed by giving the semantics of 
the polymorphic set theory. We will do that by explaining the meaning of a 
judgement of each of the forms 

• A is a set 

• Ai and A 2 are equal sets 

• a is an element in the set A 

• ai and a2 are equal elements in the set A 

When reading a set as a proposition, we will also use the judgement forms 

• A is a proposition 

• A is true, 

where the first is the same as the judgement that A is a set and the second one 
means the same as the judgement a is an element in A, but we do’t write down 
the element a. We will later, in chapter 18 introduce subsets and then separate 
propositions and sets. 

The explanation of the judgement forms is, together with the theory of ex¬ 
pressions, the foundation on which type theory is built by the introduction of 
various individual sets. So, the semantical explanation, as well as the intro¬ 
duction of the particular sets, is independent of and comes before any formal 
system for type theory. And it is through this semantics that the formal rules 
we will give later are justified. 

The direct semantics will be explained starting from the primitive notion of 
computation (evaluation); i.e. the purely mechanical procedure of finding the 
value of a closed saturated expression. Since the semantics of the judgement 
forms does not depend on what particular primitive constants we have in the 
language, we will postpone the enumeration of all the constants and the com¬ 
putation rules to later chapters where the individual sets are introduced. A 
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summary of the constants and their arities is also in appendix A.l. Concerning 
the computation of expressions in type theory, it is sufficient to know that the 
general strategy is to evaluate them from without, i.e. normal order or lazy 
evaluation is used. 

The semantics is based on the notion of canonical expression. The canonical 
expressions are the values of programs and for each set we will give conditions 
for how to form a canonical expression of that set. Since canonical expressions 
represents values, they must be closed and saturated. Examples of expressions, 
in other programming languages, that correspond to canonical expressions in 
type theory, are 


3, true, cons(l,cons(2, nil)) and Xx.x 

and expressions that correspond to noncanonical expressions are, for example, 
3+5, if 3 = 4 then fst((3, 4)) else snd((3,4)) and (Xx.x + 1)(12 + 13) 

Since all primitive constants we use have arities of the form ai \® ... ®u n — »0, 
n > 0, the normal form of a closed saturated expression is always of the form 

c(ei, e n ) for n > 0 

where c is a primitive constant and ei, e2,... and e n are expressions. In type 
theory, the distinction between canonical and noncanonical expressions can al¬ 
ways be made from the constant c. It therefore makes sense to divide also the 
primitive constants into canonical and noncanonical ones. A canonical constant 
is, of course, one that begins a canonical expression. To a noncanonical con¬ 
stant there will always be associated a computation rule. Since the general 
strategy for computing expressions is from without, the computation process, 
for a closed saturated expression, will continue until an expression which starts 
with a canonical constant is reached. So an expression is considered evaluated 
when it is of the form 


c(ei, e2,..., e n ) 

where c is a canonical constant, regardless of whether the expressions ei, ..., e n 
are evaluated or not. The expressions 

true, succ(0), succ(2 + 3) and cons(3, append( cons(l, nil), nil)) 

all begin with a canonical constant and are therefore evaluated. This may seem 
a little counterintuitive, but the reason is that when variable binding operations 
are introduced, it may be impossible to evaluate one or several parts of an 
expression. For example, consider the expression X((x)b), where the part (x)b 
cannot be evaluated since it is an unsaturated expression. To compute it would 
be like taking a program which expects input and trying to execute it without 
any input data. 

In order to have a notion that more closely corresponds to what one normally 
means by a value and an evaluated expression, we will call a closed saturated 
expression fully evaluated when it is evaluated and all its saturated parts are 
fully evaluated. The expressions 


true, succ(0) and X((x)(x+ 1)) 
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are fully evaluated, but 

succ(2 + 3) and cons(3, append( cons(l, nil), nil)) 


are not. 

Now that we have defined what it means for an expression to be on canonical 
form, we can proceed with the explanations of the judgement forms: 

• A is a set 

• Ai and A 2 are equal sets 

• a is an element in the set A 

• a-| and a 2 are equal elements in the set A 

• A is a proposition 

• A is true 

4.1 Categorical judgements 

In general, a judgement is made under assumptions, but we will start to explain 
the categorical judgements, that is, judgements without assumptions. 


4.1.1 What does it mean to be a set? 

The judgement that A is a set, which is written 
A set 


is explained as follows: 

To know that A is a set is to know how to form the canonical elements 
in the set and under what conditions two canonical elements are 
equal. 

A requirement on this is that the equality relation introduced between the canon¬ 
ical elements must be an equivalence relation. Equality on canonical elements 
must also be defined so that two canonical elements are equal if they have the 
same form and their parts are equal. So in order to define a set, we must 

• Give a prescription of how to form (construct) the canonical elements, 
i.e. define the syntax of the canonical expressions and the premises for 
forming them. 

• Give the premises for forming two equal canonical elements. 
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4.1.2 What does it mean for two sets to be equal? 

Let A and B be sets. Then, according to the explanation of the first judgement 
form above, we know how to form the canonical elements together with the 
equality relation on them. The judgement that A and B are equal sets, which 
is written 


4 = 


B 


is explained as follows: 

To know that two sets, A and B, are equal is to know that a canon¬ 
ical element in the set A is also a canonical element in the set B 
and, moreover, equal canonical elements of the set A are also equal 
canonical elements of the set B, and vice versa. 

So in order to assert A = B we must know that 

• A is a set 

• B is a set 

• If a is a canonical element in the set A, then it is also a canonical element 
in the set B. 

• If a and a' are equal canonical elements of the set A, then they are also 
equal canonical elements in the set B. 

• If b is a canonical element in the set B, then it is also a canonical element 
in the set A. 

• If b and b' are equal canonical elements in the set B, then they are also 
equal canonical elements in the set A. 

From this explanation of what it means for two sets to be equal, it is clear that 
the relation of set equality is an equivalence relation. 

4.1.3 What does it mean to be an element in a set? 

The third judgement form, saying that a is an element in the set A, which is 
written 


is explained as follows: 

If A is a set then to know that a £ A is to know that a, when 
evaluated, yields a canonical element in A as value. 

In order to assert a € A, we must know that A is a set and that the expression 
a yields a canonical element of A as value. 
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4.1.4 What does it mean for two elements to be equal in 
a set? 

If A is a set, then we can say what it means for two elements in the set A to be 
equal. The explanation is: 

To know that a and b are equal elements in the set A, is to know 
that they yield equal canonical elements in the set A as values. 

Since it is an assumption that A is a set, we already know what it means to be 
a canonical element in the set A and how the equality relation on the canonical 
elements is defined. Consequently, we know what the judgement that the values 
of a and b are equal canonical elements in the set A means. The judgement 
saying that a and b are equal elements in the set A is written 

a = b€ A 


4.1.5 What does it mean to be a proposition? 

To know that A is a proposition is to know that A is a set. 

4.1.6 What does it mean for a proposition to be true? 

To know that the proposition A is true is to have an element a in A. 


4.2 Hypothetical judgements with one assump¬ 
tion 

The next step is to extend the explanations for assumption free judgements to 
cover also hypothetical ones. The simplest assumption is of the form 

xgA 

where x is a variable of arity 0 and A is a set. 

Since sets and propositions are identified in type theory, an assumption can 
be read in two different ways: 

1. As a variable declaration, that is, declaring the set which a free variable 
ranges over, for example, x € N and y € Bool. 

2. As an ordinary logical assumption, that is, x € A means that we assume 
that the proposition A is true and x is a construction for it. 

Being a set, however, may also depend on assumptions. For example, a =..\ b, 
which expresses equality on the set A and is defined in chapter 8, is a set only 
when a € A and b e A. So we are only interested in assumption lists 

aq e A 1; x 2 e A 2 (x i), . . . ,x n e A n (x i,x 2 , ..., a; n _i) 

where each A* (a:i,..., Xj--\ j is a set under the preceding assumptions. Such lists 
are called contexts . We limit ourselves here to assumptions whose variables 
are of arity 0; they are sufficient for everything in type theory except for the 
elimination rule involving the primitive constant funsplit (chapter 7) and the 
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natural formulation of the elimination rule for well-orderings. A more general 
kind of assumption is presented in chapter 19. 

Now we can extend the semantic explanations to judgements depending on 
contexts with assumptions of the form described above. The meaning of an 
arbitrary judgement is explained by induction on the length n of its context. 
We have already given the meaning of judgements with empty contexts and, 
as induction hypothesis, we assume that we know what judgements mean when 
they have contexts of length n —1. However, in order not to get the explanations 
hidden by heavy notation, we will first treat the case with just one assumption. 

4.2.1 What does it mean to be a set under an assumption? 

To know the judgement 


A{x) set [x € C] 

is to know that for an arbitrary element c in the set C, A(c) is a set. Here it is 
assumed that C is a set so we already know what c £ C means. We must also 
know that A(x) is extensional in the sense that if b = c £ C then A(b') = A(c). 

4.2.2 What does it mean for two sets to be equal under 
an assumption? 

The second judgement form is explained as follows: To know that 
A(x) = B(x) [x £C\ 

is to know that 


A(c) = B(c) 

for an arbitrary element c in the set C. Here it is assumed that the judgements 
A(x) set [x £ C] and B(x) set [x £ C] hold. Hence, we know what the 
judgement A(c) = B(c) means, namely that a canonical element in the set A(c) 
is also a canonical element in the set B(c) and equal canonical elements in the 
set A(c) are equal canonical elements in the set B(c) and vice versa. 

4.2.3 What does it mean to be an element in a set under 
an assumption? 

To know that 


a(x) £ A{x) [x £ C] 

is to know that a(c) £ A(c) for an arbitrary element c in the set C. It is here 
assumed that the judgement A(x) set [a: £ C] holds and hence we know what 
it means for an expression to be an element in the set A(c). Hence, we know 
the meaning of a(c) £ A(c). In order to make a judgement of this form, we 
must also know that a(x) is extensional in the sense that if b = c £ C then 
a(b) = a(c) £ A(c). 
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4.2.4 What does it mean for two elements to be equal in 
a set under an assumption? 

To know the judgement 

a(x) = b(x) £ A(x) [x £ C\ 

is to know that o(c) = 6(c) £ A(c) holds for an arbitrary element c in the set C. 

It is here assumed that the judgements A(x) set, a(x) £ A(x) and b(x) £ A(x) 

hold under the assumption that x £ C. 

4.2.5 What does it mean to be a proposition under an 
assumption? 

To know that A(x) is a proposition under the assumption that x £ C is to know 

that A(x) is a set under the assumption that x £ C. 

4.2.6 What does it mean for a proposition to be true un¬ 
der an assumption? 

To know that the proposition A{x) is true under the assumption that x £ C is 

to have an expression a(x) and know the judgement a(x) £ A(x) [x £C\. 


4.3 Hypothetical judgements with several assump¬ 
tions 

We now come to the induction step. The general case of contexts of length n is 
a straightforward generalization of the case with just one assumption. 

4.3.1 What does it mean to be a set under several as¬ 
sumptions? 

To know that 

A(xi,... ,x n ) set [xi £ Ci, . . . ,x n £ C n (xi,... ,x n -i)\ 
is to know that 

A(c ,..., x n ) set [x2 € C2(c), . . . , x n £ C n (c,... 
provided c £ C\. So 

A(xi,... ,x n ) set [#i 6 Ci, . . . ,x n £ C n (x i,... ,x n -i)] 

means that 

vl(ci, ...,c n ) set 

provided 

ci £Ci 

c n £ C n {ci,..., c n _i) 
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It is also inherent in the meaning of a propositional function (family of sets) 
that it is extensional in the sense that when applied to equal elements in the 
domain it will yield equal propositions as result. So, if we have that 

ai = b\ £ Ci 
C*2 = &2 € C2(dl) 


a n = b n £C n (a 1 ,...,a n ) 

then it follows from 

A(xi,... ,x n ) set [xi £ Ci, . . . ,x n £ C n (xi,... ,x n -\)\ 

that 

A(a 1 ,...,a n ) = A{b 1 ,...,b n ) 

4.3.2 What does it mean for two sets to be equal under 
several assumptions? 

Hypothetical judgements of the other forms are defined in a similar way. The 
second judgement form is explained as follows. 

Let A{x i, ..., x n ) and B(x i,..., x n ) be sets in the context 

x\ £ Ci, ..., x n £ C n (x i,...,x n _i) 

Then to know the judgement 

A{x i,... ,x n ) = B(x i,.. .x n ) [xi £ Ci, . . . , x n £ C n (x i,..., x n -i)] 


is to know that 


A(c,... ,x„) = B(c,... ,x n ) [x2 £ C2(c), . . . , x n £ C n (c,x 2,... ,x n -i )] 
provided c£C\. 

4.3.3 What does it mean to be an element in a set under 
several assumptions? 

The third judgement form has the following explanation for a context of length 
n. Let A(xi, ..., x n ) be a set in the context x\ £ C\, . . . , x n £ C n (x 1,... ,x n _i). 
Then to know the judgement 

a(x 1,... ,x n ) £ A(x 1,... ,x n ) [xi £ Ci, . . . , x n £ C n (x 1,... ,x n _i)] 


is to know that 

a(c,2;2,... ,x n ) £ A(c,X 2, ■ ■ ■ ,x n ) [2:2 £ C2 (c), . . . , x n £ C n (ci,... ,2;„_i)] 
provided c £ C±. 




















4.3. HYPOTHETICAL JUDGEMENTS WITH SEVERAL ASSUMPTIONS 


It is also inherent in the meaning of being a functional expression in a set 
that it is extensional in the sense that if it is applied to equal elements in the 
domain it will yield equal elements in the range. So, if we have 

a,i = b\ £ C\ 

0-2 = i>2 € ) 


a n = b n € C n (a i,..., o„) 

then it follows from 

a( xi, ...,x n )£ A(x i, ...,x n ) [xi £ Ci, . . . , x n £ C n (x i,... ,£„_!)] 

that 

a(ai ,..., a n ) = a(bi ,..., b n ) £ A{ai ,..., a n ). 


4.3.4 What does it mean for two elements to be equal in 
a set under several assumptions? 

The fourth judgement form is explained as follows. Let a(xi,...,x n ) and 
b(x i,..., x n ) be elements in the set A(x i,..., x n ) in the context 

xi £ Ci, • • • , x n £ C n (x i,. • •, x n —i ). 


Then to know that 

a(xi, ...,x n ) = b(x i,..., x n ) £ A(xi,... ,x n ) [xi £ Ci, . . . , 

x n £ C n (x i,... ,cc n _i)] 

is to know that 

a(c,X2, ■ ■ • ,x n ) = b(c,x2, ... ,x n ) e A(c,X 2, ■ ■ ■ ,x n ) [x2 e C 2 (c), . . . , 

X n £ C n (c,X2, ■ ■ ■ ,X n -i)\ 


provided c£ Ci. 


4.3.5 What does it mean to be a proposition under several 
assumptions? 

To know 

A(x i,... ,x n ) prop [aq £ Ci, . . . , x n £ C n (x i,... ,x n -i)] 
is to know that 

A(xi,... ,x n ) set [xi £ Ci, . . . , x n £ C n (xi,... ,x n -i)\ 

4.3.6 What does it mean for a proposition to be true un¬ 
der several assumptions? 

To know 

.A(a;i, ..., x n ) true [xi £ Ci, . . . , x n £ C n (xi ,..., a; n _i)] 
is to have an expression a(xi ,..., x n ) and know the judgement 

a(xi,... ,x n ) £ A(x i,... ,x n ) set [xi £ Ci, . . . , x n £ C n (x i,... ,x n -i)\ 
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Chapter 5 

General rules 


In a formal system for type theory there are first some general rules concerning 
equality and substitution. These rules can be justified from the semantical 
explanations given in the previous chapter. Then, for each set forming operation 
there are rules for reasoning about the set and its elements. 

For each set forming operation there are four kinds of rules. 

• The formation rules for A describe under which conditions we may infer 
that A is a set and when two sets A and B are equal. 

• The introduction rules define the set A in that they prescribe how the 
canonical elements are formed and when two canonical elements are equal. 
The constructors for the set are introduced in these rules. 

• The elimination rules show how to prove a proposition about an arbitrary 
element in the set. These rules are a kind of structural induction rules 
in that they state that to prove that an arbitrary element p in the set 
A has a property C(p) it is enough to prove that an arbitrary canonical 
element in the set has that property. The selector, which is a primitive 
noncanonical constant associated with the set is introduced in this kind 
of rule. It is the selector which makes it possible to do pattern-matching 
and primitive recursion over the elements in the set. 

• The equality rules describe the equalities which are introduced by the the 
computation rules for the selector associated with the set. 

In this chapter we will present the general rules, and in later chapters set 
forming operations and their rules. 

We will present the rules in a natural deduction style 

Pi Pi • • • P n 
C 

where the premises Pi, P 2 , ..., P n and the conclusion C in general are hypo¬ 
thetical judgements. When all the premises do not fit on one line, we write the 
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rule with one premise on each line: 

Pi 

P 2 

P n 

■ 'itf: 

When we write a rule, we will only present those assumptions that are dis¬ 
charged by the rule. The formation rule for II will, for instance, be written 
A set B(x) set [x G A] 

H(A, B) set 

The full form of this rule with assumption lists T and A is 
A set [r] B{x) set [A, a: G A] 

II(A, B) set [r, A] 

A rule like this one is applicable to form a proof of the conclusion if we have 
proofs of the two judgements 

• A set [r'] 

• B(x) set [A'] 

and the assumption lists T' and A' in those judgements have the following 
properties 

• r must not contain an assumption for the variable x. 

• If there are assumptions for the same variable in T' and A' the sets in the 
assumptions must be identical, i.e., definitionally equal. 

• If there is an assumption for the variable x in A' it must be the last 
assumption and the set must be A. 

The assumption list [T, A], in the rule above, consists of the assumptions in T 
followed by those assumptions in A which do not occur in I . 

If a rule has a premise of the form a € A, we will often exclude the premise 
A set and if a premise has the form A = B we will often exclude the premises 
A set and B set. And similarly, if the premise is of the form a = b G A, we 
will often exclude the premises A set, a G A and b G A. We also extend this 
to families of sets, so if we have a premise of the form a(x) G B(x) [x G A) 
we exclude the premises A set and B(x) set [x G A}. That these premises are 
required follows from the explanation of a G A, A = B and a = b G A. The full 
form of the introduction rule for —» 

b(x) G B [xgA] 

X(b) gA^B 

is therefore 

Aset [r] B set [A] b(x) G B [6,ieA] 

X(b) gA^B [r,A,©] 

where A, B and b may have occurrences of the variables that are introduced in 
the assumption lists T, A and 0 respectively. 
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5.1 Assumptions 

The first rule we give is the one which makes it possible to introduce assump¬ 
tions. 

Assumption 

A set 

x € A [a; £ A] 

This rule says that if A is a set, then we can introduce a variable x of that set. 

By the correspondence between propositions and sets, and the interpretation 
of true propositions as nonempty sets, the assumption x £ A also serves as the 
assumption that the proposition A is true. An assumption of the form A true 
is therefore an abbreviation of an assumption x £ A where a; is a new variable. 

Applying the assumption rule on the premise A set gives us the judgement 
x £ A [i e 4]. We can see the variable x as a name of an indeterminate proof- 
element of the proposition A. One way to discharge the assumption x € A 
is to find an element a in the set A and substitute it for all free occurrences 
of x. Formally this is done by applying one of the substitution rules that are 
introduced in section 5.5. 


5.2 Propositions as sets 

If we have an element in a set, then we will interpret that set as a true propo¬ 
sition. We have the rule: 

Proposition as set 

a £ A 
A true 


5.3 Equality rules 

We have the following general equality rules: 
Reflexivity 

a € A A set 

a = a € A A^A 

Symmetry 

a = b £ A A = B 

b = a£ A B = A 


Transitivity 

a = b£ A b=c£ A 
a = c£ A 


A = 


B B = C 
A = C 


The rules concerning equality between elements can be justified from the fact 
that they hold for canonical elements. For instance, the symmetry rule can be 
justified in the following way: That a = b € A means that a' = b' £ A, where 
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a' is the value of a and b' is the value of b. Since equality between canonical 
elements is symmetric we have b' = a' £ A, which gives that b= a £ A. 

The other rules are also easily justified, for example the rule concerning 
symmetry of equality between sets: The meaning of A = B is that canonical 
elements in A are canonical in B and equal canonical elements in A are equal 
canonical elements in B. The judgement also means that canonical elements in 
B are canonical in A and that equal canonical elements in B are equal canonical 
elements in A. By just changing the order of these two sentences we get the 
definition of what B = A means. 


5.4 Set rules 

The meanings of the judgement forms A = B, a £ A and a = b £ A immediately 
justify the following rules: 

Set equality 

aeA A=B a = b £ A A=B 

a £ B a = b£ B 


5.5 Substitution rules 

The meanings of the four judgement forms when they depend on a nonempty 
context yield four sets of substitution rules. The judgement 

C(x) set [x £ A] 

means that C(a) is a set, provided a £ A, and that C(a) = C(b) whenever 
a = b £ A. This explanation immediately gives us the rules: 

Substitution in sets 

C(x) set [x £ A] a £ A C(x) set [x £ A] a = b £ A 

C(a) set C(a) = C{b) 

The judgement 

c(x) £ C(x) [x £ A] 

means that c(a) £ C(a ) if a £ A and that c(o) = c(b) £ C(a ) if a = b £ A. This 
justifies the rules: 

Substitution in elements 

c(x) £ C(x) [x £ A] a £ A c(x) £ C(x) [x £ A] a = b£ A 

c(o) € C(a) c(a) = c(b) £ C(a ) 


If we read C(x) as a proposition, and consequently c(x) as a proof-element 
of the proposition, these rules can be used to discharge an assumption. When a 
judgement depends on the assumption that x is a proof-element of the proposi¬ 
tion A, we can substitute an actual proof-element for the indeterminate proof- 
element x and discharge the assumption x £ A. 
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The meaning of the hypothetical judgement 

B(x) = C(x) [x £ A] 

is that B(a) and C(a) are equal sets for any element a in A. Therefore we have 
the rule 

Substitution in equal sets 

B(x ) = C(x) [x £ A] a £ A 
B(a) = C(a) 

Finally, we have the hypothetical judgement 

b(x) = c(x) £ B(x) [x £ A] 

which means that 6(a) and c(a ) are equal elements in B(a), provided that a £ A. 
This justifies the rule 

Substitution in equal elements 

b(x) = c(x) £ B{x) [x £ A] a £ A 
6(a) = c(a) e B(a) 

These rules for substitution are not sufiicient because if we have a judgement 
C(x, y) set [x £ A,y £ B{x)] 

and want to substitute a £ A for x and b £ B(a) for y we cannot use the rules 
given above since they cannot handle the case with simultaneous substitution of 
several variables. We therefore extend the substitution rules to n simultaneous 
substitutions. We present only the rule for substitution in equal sets. 
Substitution in equal sets of n variables 

B(x i,... ,x n ) = C(x i,... ,x n ) [xi £ Ai ,..., x n £ A n (x i,... ,x„_i] 

ai £ Ai 


a n € A n (ai,..., a n -1 
B(ai,... ,a n ) = C(ai, ...,a n ) 

The rule is justified from the meaning of a hypothetical judgement with several 
assumptions. 

Another way to achieve the same effect is to allow substitution in the middle 
of a context. For example if we have a judgement 

C(x, y) set [x £ A,y £ B{x)] 

we could first substitute a £ A for x obtaining the judgement 
C{a,y) set [y £ B(a)\ 

then substitute 6 € B(a) for y. When using type theory to do formal proofs, it 
is convenient to have substitution rules of this form. 
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Chapter 6 

Enumeration sets 


Given n canonical constants i \,.... i n , each of arity 0, we want to be able 
to introduce the enumeration set {i\,... ,i n }. So, we introduce a constant 

{i\ .. i n } of arity 0. It must be immediate from each identifier i/ c to which 

enumeration set it belongs and what position (index) it has. The convention 
we will follow is that an identifier can only belong to one enumeration set and 
the first occurrence of the set decides the index of the elements. We have the 
following formation rule: 

*„} - formation 


{*i,..., i n } set 

The canonical elements of {i\,- are i \, i- 2 , ■■■ and i n which gives the 
following n introduction rules (n > 0): 

{*i,..., i n } - introduction 1 

i\ e {*i,..., i n } ■■■ %€{%...,%} 

Two canonical elements of {*i,..., i n } are equal only if they are the same canon¬ 
ical constants: 

{ii, -.., i n } ~ introduction 2 

i\ = i\ £ {il, . . . , in} ... in = in € {*1, • • • j in} 

The selector expression for {ii,..., /'„} is the expression 
casep li ... ; j n }(a, ,b n ) 

where case^^..^} is a constant of arity »0. The notation for the 

expression case{ il) ... )in }(a, b ±,..., b n ) in ML is 

case a of i\ => b\ 

I in => b n 

We will usually drop the index in case^jsince it is often clear from the 
context. The case-expression is computed in the following way: 
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1. First evaluate a. 

2. If the value of a is 4 (1 < k < n) then the value of the case expression 
is the value of b k . 

We have the following elimination rules: 

{*i,..., i„,} - elimination 1 

a £ [h ,..., i n } 

C(x) set [x £ {*i,.. •, i n }\ 
bi £ C(i i) 

b n £ C(i n ) _ 

case(a, 6 l5 ..., b n ) £ (7(a) 

i n } - elimination 2 

a= a' £ {*i, ■■■An} 

C(x) set [x £ {*i,.. •, *„}] 

&i = b} £ C(i i) 

_ b n = b' n £ C(z») _ 

case(o, bi,...,b n ) = 0356(0', fr),..., 6'„) e (7(a) 

The first elimination rule is justified in the following way. Assume the premises 
of the rule. We have to show that 

case(a, 61,..., b n ) £ (7(a) 

which means that we have to show that the value of case(a, 61,..., b n ) is a 
canonical element in (7(a). This program is computed by first computing the 
value of a. From the first premise we know that the value of a is a canonical 
element in {ij,..., i n }, so the value must be ij for some j, 1 < j <n. The value 
of the case-expression is then the value of bj, according to the computation rule 
for case. From one of the premises, we know that the value of bj is a canonical 
element in So we have shown that the value of the case-expression is a 

canonical value in But this set is equal to the set (7(a). This follows 

from the meaning of the second premise. That C(x) set [x £ {*i,..., i n }] gives 
that (7(a) = C(ij). From the meaning of two sets being equal it follows that 
the value of the program case(a, 61,..., b n ) being a canonical element in C(ij) 
is also a canonical element in (7(a). 

The second elimination rule can be justified in a similar way, using the 
computation rule for the case-expression and the meaning of the different forms 
of judgements. Furthermore, the computation rule justifies n equality rules. For 
each k, 1 < k < n, we get the rule: 

{h ,..., i n } - equality 

C(x) set [x £ in}] b 1 £C(i 1 ) ... b n £C(i n ) 

case(i fc , 61,..., b n ) = b k £ C(i k ) 















6.1. ABSURDITY AND THE EMPTY SET 


43 


6.1 Absurdity and the empty set 

If n = 0 we get the empty set {} which, of course, has no introduction rule. 
The {} - elimination rule becomes: 

{} - elimination 1 

a g {} C{x) set [x g {}] 
case(a) g C(a) 

{} - elimination 2 

a = a' g {} C{x) set [x g {}] 
case(a) = case(a / ) g C(a) 

In the following we will not give rules like the second elimination rule above. 
The general shape of these rules is that sets or elements are equal if their form 
is identical and their parts are equal. For the monomorphic type theory (see 
chapter 19) these rules follows immediately from substitution in objects on the 
type level. 

We will sometimes use the definition 

0 = {} 

Viewing sets as propositions, the empty set corresponds to absurdity, i.e. the 
proposition T which has no proof. So, making the definition 

-L = U 

we get, from the elimination rule for {} by omitting some of the constructions, 
the natural deduction rule for absurdity: 

- elimination 

T true C prop 
C true 

where C is an arbitrary proposition (set). That this rule is correct is a direct 
consequence of the semantics of type theory. If T is true then we have an 
element a in T and then we can use the rule {} - elimination 1 to conclude that 
case(a) g C and hence that C is true. 

6.2 The one-element set and the true proposi¬ 
tion 

There are many sets which are non-empty and thus can be used to represent 
the true proposition T (truth). We make the following definition: 

T = {tt} 

where tt is a new primitive constant of arity 0. From the general rules for the 
enumeration set, we get the following rules: 

T - formation 
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T - introduction 


tteT 


T - elimination 

a g T C[x) set [x&T] be (7(tt) 
case(a,6) e (7(a) 


T - equality 

C(x) set [xeT] be (7(tt) 
*'$$$$$>) = b e C(tt) 


We also get the natural deduction rules for truth: 

T - introduction 

T true 

T - elimination 

T true C true 
C true 

These two rules are usually not formulated in systems of natural deduction. 
The last one is for obvious reasons never used. 


6.3 The set Bool 

In order to form the set of boolean values, we introduce the two constants true 
and false, both of arity 0, and make the definitions 

Bool = {true, false} 
if b then c else d = case(6, c, d) 

As special cases of the rules for enumeration sets, we get 
Bool - formation 


Bool set 


Bool - introduction 

true e Bool false € Bool 

Bool - elimination 

b e Bool C(v) set [v € Bool] c € C(true) d € C(false) 
if b then c else d e (7(6) 


Bool - equality 

C(v) set [u e Bool] c e C(true) d € (7(false) 
if true then c else d = c6 (7(true) 
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C(v) set [i> G Bool] c G C(true) d G C(false) 
if false then c else d = d G C(false) 

Note the difference of true being an element in the set Bool and the judgement 
C true which abbreviates that the set C is non-empty. The judgement C is true 
means that we have a proof of the proposition C, so C is really true since we 
have proven it. The judgement c = true G Bool means only that if we compute 
the program c we get the canonical element true as a result. This has nothing to 
do with truth; we only use true as a convenient name for this canonical element. 
Some programming languages use other names, for instance 0 and 1 are also 
used. Many years of programming practice have shown that it is convenient 
to use the names true and false for the canonical elements in the set with two 
elements. There is, however, something arbitrary in this choice. 

In type theory with a universe (see chapter 14) it is possible to prove that 

‘(true = Boo | false) 

where (true =g 00 | false) is the proposition, to be introduced in chapter 8, which 
is true if true is equal to false . 
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Chapter 7 


Cartesian product of a 
family of sets 

The members of a cartesian product of a family of sets are functions. But a 
cartesian product is more general than the usual set of functions A—>B, since 
the result of applying a function to an argument is in a set which may depend 
on the value to which the function is applied. If / is an element in a cartesian 
product and a and b are expressions, it is, for instance, possible that / applied 
to a is a member of N, the set of natural numbers, and / applied to b is a 
member of Bool. This means that type theory contains functions which are not 
definable in typed programming languages like ML and Pascal. One reason for 
this generality is that it is needed in the definition of the universal quantifier. It 
is also needed when we use sets to specify programs. A specification of a program 
has often the following form: find a function / which for any argument a from 
the set A yields a value in the set B(a). For instance a sorting program takes 
an argument a from the set of integer lists and outputs an ordered permutation 
of o, so the output is in the set Op(a), the set of all ordered permutations of a. 
It is here essential that we can give a specification that expresses how the type 
of the result of the function depends on the value of the argument. 

In order to form a cartesian product of a family of sets we must have a set 
A and a family B of sets on A , i.e. 


and 


B(x) set [x e A] 

We will use the primitive constant II of arity 0®(0—»0)—»0 when forming a 
cartesian product. So 


II(A, B) 

denotes the cartesian product of A and B. The following explicit definition is 
used: 


(ILc &A)B{x) = n (A,B) 
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We have to define the canonical elements in IKA. B) and define what it means 
for two canonical elements to be equal. The elements in H(A. B) are functions 
and we will use the lambda notation for expressing them. So we introduce the 
primitive constant A of arity (0—»0)—»0. The basic notion of function is an 
expression formed by abstraction. Therefore the canonical elements in 11(^4, B) 
will be formed by applying the A on an abstraction b such that b(x) is an element 
of B(x) when x £ A: 

A (b) is a canonical element in H(A-, B) if b(x) £ B(x) [x £ A}. 

The equality between two canonical elements A(/q) and A(62) of U(A. B) is 
derived from the equality on the family B(x) on A : 

A(&i) and A(62) are equal canonical elements in H(A, B) provided 
that 61 (x) = bi{x) £ B(x) [a: £ A], 

The primitive non-canonical constant for the II-set is apply of arity 0®0—»0. 
It is the constant used for applying an element in H(A, B) to an element in A. 
Hence, it has the following computation rule: 

1. apply(/, a) is evaluated by first evaluating /. 

2. If / has value A(6) then the value of apply(/, a) is the value of b(a). 

We will later, in section 7.2, give an alternative non-canonical constant for 
the n-set. 

One of the main reasons for introducing the n-set is that it is needed when 
interpreting the universal quantifier, which has the following Heyting interpre¬ 
tation: 

(Vx £ A)B(x) is true if we can construct a function which when 
applied to an element a in the set A, yields a proof of B(a). 

If we identify the proposition B(x) with the family of sets B{x) [x £ A], and if 
we let the proofs of B(x) be represented by the elements in the set B(x) [x £ A], 
then the elements in the set Il( A. B ) are exactly the functions mentioned in the 
Heyting interpretation. The elements in U(A, B) therefore represent the proofs 
of (Vx£ A)B(x). So we see, that in order to cope with the universal quantifier, 
it is necessary to have this kind of generalized function set. 

Other examples of sets (propositions) that are defined as special cases of the 
cartesian product are: 

1. the restricted set of functions A —> B, where the set B does not depend 
on the argument x £ A 

2. the implication Ad B. 

3. the record type former in Pascal is a set (nx £ {;<-],..., i n })B(x), the 
members of which are tuples. The component of the tuple with the name 
j is in the set B(j). In Pascal the application apply(/, j) is written f.j. 

The last example shows that a cartesian product of a family of sets is a 
generalization of a cartesian product of a finite number of sets. 
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It is important to distinguish between the two different notions of function 
we have used. The first is the fundamental syntactical notion of function as an 
expression with holes in it, i.e. an expression which is not saturated. The second 
is the notion of function as an element in the cartesian product. When there is 
a risk of confusion between these two notions, we will use the word abstraction 
for the syntactic notion and function element for the second. The syntactical 
notion of function is more basic; we use it already when we write down the sets 
n(A, B) and A —> C, in these expressions B, II and —> are abstractions. 
Examples of canonical elements in different II-sets are: 

X((x)x) £ II(Bool, (x)Bool) 

A(succ) en(N,(i)N) 

A((s)A((y)s + y)) £ II(N, (s)II(N, (y) N)) 

where N is the set of natural numbers and succ and + the usual arithmetical 
operations, to be introduced in chapter 9. These expressions can also be written: 

Xx.x £ (ILce Bool) Bool 
Ax.succ(x) g (IIxeN)N 
Xx.Xy.x + y £ (IIx G N) (IIx G N) N 

An example of a non-canonical expression is: 

apply(Ax.a:, false) G Bool 

The computation rule for apply justifies the equality 
apply(A(6), a) = b(a) £ B(a ) 

For example, 

apply(Ax.a:, false) = false G Bool 

and 


apply(Aa:.if x then 0 else false), true) = if true then 0 else false € N 
which can be further evaluated to 0. 


7.1 The formal rules and their justification 

As defined previously, the canonical elements in II(A,B) are of the form X(b), 
where b(x) £ B{x) when x £ A. We also defined two canonical elements X{b -\) 
and A(&2) in II(A, B) to be equal if b\(x) = b2(x) £ B(x) when x £ A. In 
order to see that II(A, B) is a set it only remains to verify that the equality on 
n(A, B) is extensional. But this is obvious since the free variables in A(6-|) and 
A(f>2) are also free in b\(x) and b-iix) and the equality on the family B(x) over 
A is required to be extensional. 

Therefore, II(A,B) is a set if A is a set and if B(x) is a set under the 
assumption that x £ A. Hence, the formation rule is: 
n - formation 


A set B(x) set [x £ A] 
n(A, B) set 
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Since the canonical elements in the set II(A, B) are of the form \(b) where 
b(x) £ B(x) under the assumption that x £ A, we get 
II - introduction 


b(x) £ B(x ) [a: e A) 

X(b) e n (A, B) 

As mentioned earlier, the primitive non-canonical constant for the cartesian 
product is 


apply 

of arity 0®0—»0. We also introduce an infix form of apply by the definition 
x-y = apply (x,y) 


The rule associated with apply is: 
II - elimination 1 


/ € n(A, B) a £ A 
apply (f,a) £ B(a ) 

We have to convince ourselves, from the way apply(/, a) is computed and the 
semantics of the judgement forms, that this rule is correct. That / £ II(A, B) 
means that 

/ has a value of the form A (b) (1) 

where 

b(x) £ B(x) [x £ A] (2) 

since it must have a canonical value in the set II(A, B) and all canonical values 
of n(A, B) have this form. By the definition of how apply(/, a) is computed and 
(1), we get that 


apply {f, a) is computed by computing b{a). 
Since a £ A, we get from (2) that 


b(a) £ B{a) 


( 3 ) 

( 4 ) 


(3) and (4) finally give us 

apply (/> a ) € B(a) 

and thereby the elimination rule is justified. 

The way apply(/, a) is computed gives the rule: 
II - equality 1 


b(x) £ B(x) [i£i] a £ A 
apply(A(6), a) = b(a) £ B(a) 


since b(x) £ B(x) [a; £ A] and a £ A give that b(a) £ B(a). 
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7.2 An alternative primitive non-canonical form 

As an example of how the semantics can justify the introduction of a different 
non-canonical form, we will introduce an alternative to the selector apply in the 
II-set. 

For most sets, the non-canonical forms and their computation rules are based 
on the principle of structural induction. This principle says, that to prove that 
a property B(a) holds for an arbitrary element a in the set A, prove that the 
property holds for each of the canonical elements in A. Similarly, to construct 
a program for an arbitrary element a in the set A, construct a program for each 
of the canonical forms of A. The computation rule for the non-canonical form 
in the II-set does not follow this principle. It is chosen because the rule is well- 
known from the A-calculus (/3-reduction). The alternative non-canonical form is 
based on the principle of structural induction. We define the new non-canonical 
form as follows: 

Introduce the constant funsplit of arity (0®((0—»0)—»0))—»0 and let the 
expression funsplit(/, d) be computed by the following rule: 

1. Compute /. 

2. If the value of / is A(6), then the value of funsplit(/, d) is the value of 
d(b). 

The expression / is to be an arbitrary element in the set R(A, B) and d(y) is 
a program in the set C(X(y)) under the assumption that y{x) G B(x) [x G 
A], Notice that this is a higher order assumption, an assumption in which an 
assumption is made. The variable y is of arity 0—»0, i.e. it is a function variable, 
i.e. a variable standing for an abstraction. Note that a function variable is 
something quite different from an element variable ranging over a II set. 

The alternative elimination rule becomes: 

II - elimination 2 

/ g n(A, B) 

C(v) set [v G n(A, B)] 
d(y)£C(\(y)) [y(x)€B(x) [x € A]] 
funsplit (f,d) G C(f) 

We can justify II-elimination 2 in the following way: If / € R(A. B) it follows 
from the meaning of this judgement form that / must have a canonical element 
as value. The canonical elements in the II set are of the form A(6), so / has a 
value of the form \{b) and 

f = X(b)£H(A,B) (1) 

where 

b(x) G B(x) [x g A] (2) 

Since we know that d{y) G C(X(y)) whenever y(x) G B(x) [x G A] and b(x) G 
B(x) [a; G A], we get 

d(b) G C(X(b)) (3) 

From the computation rule for funsplit and from (1) we can conclude that 
funsplit(/, d) is computed by computing d(b) and from (3) it follows that 

funsplit(/, d) G C(X(b)) 


(4) 
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From the premise that C(v) is a set under the assumption that v £ II( A B) and 
from (1) it follows that 

C(f) = C(\(b)) (5) 

and now from (4) and (5) and the meaning of the judgement form A = B, it 
immediately follows that 

funsplit (f,b)£C(f) 

Hence, the first elimination rule is justified. 

The computation rule for funsplit(A(6), b) gives the equality rule: 
n - equality 2 

b(x) £ B(x) [x £ A] 

C(v) set [v e n(A, B)] 

, :m €«?( xm e afo j 1* 

since b(x) £ B(x) [x £ A] and d(y) £ C(X(y)) [y(w) £ B(w) [w £ A] give 
d(b) £ C(A(b)). 

Now we can reintroduce the constant apply of arity 0®0—»0 by making an 
explicit definition 


apply(/,a) P funsplit(/, (x)(x(a))) 

If we have defined apply in this way, the expression apply(/, a) will be com¬ 
puted in the following way. The program apply(/, o) is definitionally equal to 
funsplit(/, (x)(x(a))) which is computed by first computing the value of /. If the 
value is A(b) then continue to compute the value of the program ((x)(x(a)))(b), 
a program which is definitionally equal to b(a). 

We can also prove a counterpart to the first n-elimination rule: 

Theorem If a £ A and / £ n(A, B), then apply(/, a) £ B(a). 


Proof: Assume that a £ A and / £ Il(A. B). For some expression b, f must 
be equal to A(6) where 

b(x) £ B(x) [x £ A] (1) 

Using the definition of apply, we get that apply(/, a) is computed by computing 
funsplit(A(6), (x)x(a)). The computation rule for funsplit gives that apply(/, a) 
is equal to b(a). From (1) we get 


b(a ) £ B(a ) 


Hence, 


apply(/,a) e B(a) 
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7.3 Constants defined in terms of the II set 

7.3.1 The universal quantifier (V) 

In order to define the universal quantifier, we introduce a new constant V of 
arity 0®(0—»0)—»0 and then make the explicit definition 

v = n 

Instead of using the somewhat unusual notation V(A, B) for the universal quan¬ 
tifier, we will write (Va; £ A)B(x). The rules for the universal quantifier follow 
directly from the rules for the II-set by reading B{x) as a family of propositions 
and (Vx€ A) B(x) as a proposition. We get the following rules for the universal 
quantifier. 

V - formation 


A prop B(x) prop [a; € A] 
(VxeA)B(x) prop 


V - introduction 

B{ x) true [x € A] 
(\/xgA)B(x) true 

V - elimination 1 


(Vx£ A)B{x) true a € A 
B{a) true 

The alternative elimination rule becomes 
V - elimination 2 

(Vx£A)B(x) true C prop C true [B(x) true [x G A]] 

C true 

7.3.2 The function set (—►) 

As we have already remarked, the cartesian product is a generalization of the 
formation of the set of functions from a set A to a set B, which we now get in 
the following way. We introduce a new constant —> of arity 0®0—»0 and make 
the definition 


—> (A, B) = n (A,(x)B) 

Instead of —> (A, B). we shall write A —> B. From the rules for II we get, 
special cases: 

—> - formation 


A set B set [a; € A] 
A —> B set 


where x must not occur free in B 
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—> - introduction 

b(x) G B [x&A] 

\{b) f/I-*/) 

where x must not occur free in B 
—> - elimination 

feA^B a £ A 
apply(/,o) G B 

—> - equality 

6 (x) G B [iG A] flGd 
apply(A(6), a) = 6(a) G B 
where x must not occur free in B or / 

7.3.3 Implication ( D ) 

The Heyting interpretation of implication is 

The implication A D B is true if we can construct a function which 
when applied to a proof of A, yields a proof of B. 

If we let the elements in the set A represent the proofs of the proposition A 
and similarly for the set (proposition) B, then we can see that the elements 
(functions) of A —> B are exactly the constructions we require in the Heyting 
interpretation to prove Ad B. So we get the implication Ad B simply by in¬ 
troducing a new constant D of arity 0®0—»0 and making the explicit definition 

The rules for implication immediately follow from the rules for —By omitting 
the proof elements in the rules for implication we get the natural deduction 
rules: 

D - formation 

A prop B prop [A true] 

AdB prop 

3 ^introduction 

B true [A true] 

Ad B true 

D - elimination 

Ad B true A true 
B true 

The alternative elimination rule becomes: 

Ad B true C prop C true [B true [A true]] 

C true 

Notice that the second premise of the formation rule is weaker than in the 
traditional rule. To show that A D B is a proposition it is enough to show that 
A is a proposition and that B is a proposition under the assumption that A is 
true This rule has been suggested by Schroeder-Heister [96]. 
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Example. Changing the order of universal quantifiers 

From a constructive proof in natural deduction, it is always possible to obtain, 
by filling in the omitted constructions, a proof in type theory. Consider, for 
instance, the following proof in natural deduction: 

Assume 

(Vx G N) (Vy G Bool) Q(x,y) 

V-elimination used twice, gives 

Q(x,y) [x G N,y G Bool] 

By V-introduction (twice) we get 

(Vy G Bool) (Vx G N) Q(x, y) 

Finally by D -introduction 

(Vx G N) (Vy G Bool) Q(x,y) D (Vy G Bool) (Vx G N) Q(x, y) 

With the proof elements present, this proof becomes: 

Assume 

w G (IIx G N) (Ily G Bool) Q(x,y ) 

By II-elimination (twice) we get 

apply 2 (w,x,y) G Q(x,y) [x G N, y G Bool] 


apply 2 (x,y,2) = apply(apply(x,y),^) 
and then by II-introduction (twice) 

Ay.Ax.apply 2 (w,x,y) G (Ily G Bool)(IIxG N) Q(x,y) 
Finally, by -►-introduction 


A«j.Ay.Ax.apply 2 (u>,x,y) G 

(IIxG N)(IIyG Bool)Q(x, y) -► (nyG Bool)(nxG N)Q(x, y) 
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Chapter 8 

Equality sets 


We have seen how to use set-forming operations to build up complex propo¬ 
sitions from simpler ones, but so far we have only introduced the elementary 
propositions T (the truth) and _L (the absurdity). Since the judgemental equal¬ 
ity cannot be used when building propositions, it is necessary to have an ele¬ 
mentary proposition expressing that two elements are equal. Beside the equality 
sets, it is the universe and general trees, which are introduced later, which make 
it possible to have dependent sets. 

We will introduce two different sets to express that a and b are equal elements 
of a set A. The first one, which we denote by Id (A, o, b ) and which we will call 
intensional equality, will have an elimination rule which expresses an induction 
principle. The second one, which we denote by Eq(^4,a, 6), will have a strong 
elimination rule of a different form than the elimination rules for the other sets. 
With this set, judgemental equality will no longer be decidable and we will 
therefore avoid this equality when possible. It is only in the chapters on well- 
orderings and general trees we must use it. In the chapter on cartesian product 
of two sets, we will show that extensionally equal functions are equal in the 
sense of Eq. Hence, we will call these kind of equalities extensional equalities. 

8.1 Intensional equality 

The set ld(A, a, b), where Id is a primitive constant of arity 0®0®0—»0, will 
represent the judgement a = b e A as a set. 

Id - formation 

A set a € A be A 
Id (A,a,b) set 

The set ld(A, a, a) will have the member id(o) where a e A and id is a primitive 
constant of arity 0—»0. So we have 
Id - introduction 

a e A 

id(a) e Id (A, a, a) 

By using Substitution in sets on a = b e A and ld(T, a, x) set [x e A) we obtain 
ld(^4,a, a) = Id (A, a, b). So, by Id -introduction 1 and Set equality we get the 
derived rule 
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Id - introduction’ 

a = b £ A 
id(a) £ Id(A, a, 6) 

The primitive non-canonical constant of the equality set is idpeel of arity 
(0®(0^0))^0 

The expression id peel (c, d) is computed as follows: 

1. id peel (c, d) is evaluated by first evaluating c. 

2. If c has value id(o) then the value of idpeel(c, d) is the value of d{a). 

The way a canonical element is introduced in an equality set and the computa¬ 
tion rule for idpeel justifies the elimination rule: 

Id - elimination 

a £ A 
be A 

ce\d(A,a,b ) 

C(x, y, z ) set \x e A, y £ A, z £ ld(A, x, y)] 
d(x) £ C(x, x, id(x)) [x £ A] 
idpeel(c, d) £ C(a,b,c) 

As for the other sets, the elimination rule expresses a principle of structural 
induction on an equality set, but the importance of the elimination rule in this 
case is more in that it is a substitution rule for elements which are equal in the 
sense of an equality set. 

The way idpeel(c, d) is computed gives the rule: 

Id - equality 

a £ A 

C(x, y, z) set [x £ A, y £ A, z £ ld(A, x, y)\ 
d(x) £ C(x, x, id(x)) [x £ A] 
idpeel(id(a), d) = d{a).k 

Instead of Id (A, a, b) we will often write a =a b. 

Example. Symmetry and transitivity of equality 

Let A be a set and a and b elements of A. Assume that 

d £ ld(A, a, b) (8.1) 

In order to prove symmetry, we must construct an element in Id (A, b, a). By 
putting C = (x, y. z)\d{A. y, x) in Id-elimination we get, by Id-introduction, 

idpeel(d, id) £ ld(A, 6, a) 

so we have proved symmetry. Hence, we have the following derived rule: 
Symmetry of propositional equality 

d £ [a =a b] 
symm(d) £ [6 =a a] 
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where 


symm(d) = idpeel(d, id) 


To prove transitivity, we assume 

eeld(A,6,c) (8.2) 

where c is an element in A. We then have to construct an element in Id (A, a, c). 
Using Id-elimination with C = {x,y,z)(\6{Axy,c) —> ld(A, x, c)) we get from 
d G Id (A, a, b), by II-introduction, 

idpeel(d, (x)Xy.y) G ld(A, b, c) —> ld(A,a, c) (8.3) 

(8.2), (8.3) and II-elimination give 

apply(idpeel(d, (x)Xy.y),e) G ld(A,o, c) 

and, hence, we have transitivity. So we have the following derived rule: 
Transitivity of propositional equality 

d G [a = A b] eg [b = A c] 
trans(d, e) G [a =a c] 

where 

trans(d,e) = apply(idpeel(d, (x)Xy.y), e) 


Example. Substitution with equal elements 

Assume that we have a set A and elements a and b of A. Assume also that 
c jg ld(A, a, b), P(x) set [a; G A] and p G P(a). By II-introduction we get 

Xx.x G P(x) —> P(x) 

Putting C = (a;, y, z)(P(x) —► P(y)) in Id-elimination we then get 
idpeel(c, ( x)Xx.x) G P(a) —► P(b) 
from which we obtain, by II-elimination, 

apply(idpeel(c, (x)Xx.x),p) G P(b) 

So we have the derived rule 

P(x) set [x G A] a G A b G A c G ld(A, a, b) p G P(a) 
subst(c,p) G P(b) 

where 

subst(c,p ) = apply(idpeel(c, (x)Xx.x),p) 

If we suppress the proof-objects we get the rule 

P(x) set [x G A] a G A bGA Id (A, a, b) true P (a) true 

P(b) true 

which corresponds to the usual substitution rule in predicate logic with equality. 
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Example. An equality involving the conditional expression 

In this example we will prove, that for any set A 

ld(A, if b then c else c, c) [b G Bool, c G A] 

is inhabited. We start by assuming that c € A and b G Bool, and will show that 
there is an element in Id (A, if b then c else c, c) by case analysis on b. 

1. b = false: The Bool - equality rule gives 

if false then c else c = cG A 
which, using Id - introduction, gives 

id(c) e ld(A, if false then c else c, c) 

2. b = true: In the same way as above, we first get 

if true then c else c = cG A 
by one of the Bool - equality rules, and then 

id(c) e ld(A, if true then c else c, c) 
by Id - introduction. 

Applying the Bool - elimination rule on the two cases, we finally get 
if b then id(c) else id(c) € ld(A, if b then c else c, c) 


8.2 Extensional equality 

We will now give an alternative formulation of equality sets which will have a 
strong elimination rule of a different form than all the other sets. 

In the semantics we have given, following [69, 70], the judgemental equality 
is more general than convertibility; we have only required that it should be an 
equivalence relation which is extensional with respect to substitution. The rules 
for the equality sets given in [69, 70] are different from those we are using. The 
formation rule is 

Eq - formation 


A set a G A b G A 
Eq(A, a, b) set 


where Eq is a primitive constant of arity 0®0®0—»0. 
There is at most one canonical element in an Eq-set: 


Eq - introduction 

a = b G A 
eq G Eq(A, o, b) 


which differs from the introduction rule for Id-sets in that eq is of arity 0 and, 
hence, a canonical element of Eq(A, a, b) does not depend on an element in A. 
The crucial difference, however, is the elimination rule: 
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Strong Eq - elimination 


ceEq(A,a,b) 
a = b £ A 

Unlike the elimination rules for the other sets, this elimination rule is not a 
structural induction principle. 

We also need an elimination rule by which we can deduce that all elements 
in an Eq are equal to eq: 

Eq - elimination 2 


cgEq(d,a,j)) 
c = eq € Eq(A, a, b) 

Using the two elimination rules for Eq, we can derive an induction rule for 
Eq, corresponding to Id-elimination, 

a £ A 
be A 

ce Eq (A,a,b) 

C(x,y,z ) set [x e A, y e A, z e Eq(A,x,y)] 
d(x) £ C(x,x,eq) [x e A] 
d(a)eC(a,b,c) 

To prove this rule, we assume the premises of the rule. By strong Eq-elimination 
and c e Eq(A, a, b), we get 

a = b e A (8-1) 

From a e A and d(x) £ C(x. x, eq) [x £ A] we obtain, by substitution, 

d(a) £ C(a,a, eq) (8.2) 

(1), Eq-elimination 2, (2) and substitution, finally give 

d(a) £ C(a, b, c ) (8.3) 

If we do not have sets formed by Eq in our formal theory it is possible to 
show, by metamathematical reasoning, that if a = b £ A is derivable then a 
converts to b. That a converts to b is then understood in the usual way of 
combinatory logic with our computational rules for the noncanonical constants 
as reduction rules; in particular, it is not necessary to have lazy evaluation. 
The proof is by induction on the length of the derivation of a = b £ A. It is 
also possible to show that if c £ Id (A, a, b) is derivable and does not depend on 
any assumptions, then a converts to 6; this is the reason why we call equalities 
formed by Id intensional. This result can be proved by normalization; such a 
proof is complicated but can be done, using standard techniques. 

If we express propositional equalities by Eq it is no longer possible to under¬ 
stand judgemental equality as convertibility, because it is then possible to prove 
a judgemental equality by reasoning using propositions. So we may e.g. use in¬ 
duction when proving a judgement of the form a(x) = b(x') £ A [x £ N] by first 
proving Eq(^4, a(x), b(x)) [x £ N] and then applying the strong Eq-elimination 
rule. 
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8.3 77 -equality for elements in a II set 

We have not formulated any judgemental rule corresponding to //-conversion, 
that is, we have no rule by which we can conclude 

A((z)apply(/, *)) = / e n(A, B) [f € U(A, B)} 

Although we do not have this judgemental equality we can prove, by using 
II-elimination 3, that the corresponding Id judgement holds: 

ld(II(A, B), A((z)apply(/, x))J) true [/ € U{A, B)) (1) 

(1) can be derived in the following way. By II-equality we obtain 

A((z)apply(A(y),aO) = A (y) « U(A,B) [y(x) £ B(x) [x e A]] 

from which we get, by Id-introduction, 

id(A(j/)) e ld(n(A, B), A((x)apply(A(y), a:)), A(y)) [y{x) e B{x) [x € A]] (2) 

Putting 

D(X(y)) = ld(II(A, B), A((a;)apply(A(y), x)),X(y)) 
in II-elimination 3, we obtain from (2) 

funsplit(/, (y)id(A(j/))) € ld(n(A, B), A((ar)apply(/,*)), /) [/ € n(A,£)] 

which shows that the judgement (1) holds. 

A similar proof for Eq instead of Id gives a term t such that 

t £ Eq(II(A, B), A((*)apply(/, x))J) [f £ U(A, B)] 

By strong Eq-elimination, we then obtain 

A((*)apply(/,*)) = /e [f€U(A,B)] 

So in the theory with Eq-sets, we have //-conversion on the judgemental level. 



Chapter 9 

Natural numbers 


The constant N of arity 0 denotes the set of natural numbers. The rule for 
forming this set is simply 
N - formation 


N set 

The canonical constants 0 and succ of arities 0 and 0—»0 respectively, are used 
for expressing the canonical elements in N. The object 0 is a canonical element 
in N and if a is an element in N then succ(o) is a canonical element in N. This 
is reflected in the following introduction rules: 

N - introduction 1 


0 g N 


N - introduction 2 

qg N 

succ(a) g N 

We will often use the numerals 1,2, ... to denote canonical elements in N. 

If a and b are equal elements in N then succ(a) and succ(6) are equal canonical 
elements in N. 

The basic way of proving that a proposition holds for all natural numbers is 
by mathematical induction: From P(0) and that P(x) implies P(succ(x)) you 
may conclude that P(n) holds for all natural numbers n. In order to be able to 
prove properties by induction on natural numbers in type theory, we introduce 
the selector natrec of arity 0®0®(0®0—»0)—»0. From a computational point of 
view, natrec makes it possible to make definitions by primitive recursion. The 
expression natrec(a, d, e ) is computed as follows. 

1. Evaluate a to canonical form. 

2a. If the result of evaluating a is 0 then the value of the expression is the 
value of d. 

2b. If the result of evaluating a is succ(fr) then the value of the expression 
is the value of e(b, natrec(6, d, e)). 
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So, defining a function / by the primitive recursion 

r /(o) = d 

\ f (n® 1) = e(n,/(n)) 
is in type theory expressed by the definition 

/ = (n)natrec(n, d, e) 

For example, using natrec, we can define the constants ® and * of arity 0®0—»0 
by the explicit definitions 

®(x,y) = natrec(x,y, (u,n) succ(n)) 

*(x,y) = natrec(x,0, (u, v) ®(y,v)) 


expressing addition and multiplication, respectively. We will use the infix format 
and the ordinary precedence rules for ® and *. These definitions correspond 
exactly to the usual definitions of addition and multiplication by primitive re¬ 
cursion. 

The elimination rule for the natural numbers is: 

N - elimination 

a £ N 
d £ <7(0) 

C(v) set [ v £ N] 

e(x,y) 6 (7(succ(x)) [ieN, y £ C{x)\ 

In order to justify N-elimination we assume the premises a £ N, d £ (7(0) and 
e(x, y) £ C(succ(x)) [a: e N, y 6 C{x)\. We want to convince ourselves that the 
conclusion is correct, i.e. that the value of natrec(o, d, e) is a canonical element 
in C(a) 

1. If the value of a is 0 then the value of natrec(a, d, e) is the value of d 
which by the second premise is a canonical element in (7(0). From the 
extensionality of the family C it follows that (7(a) = (7(0) and, hence, 
that the value of natrec(a, d, e) is a canonical element in (7(a). 

2. If the value of a is succ(6), where b £ N, then the value of natrec(a, d, e) is 
the value of 

e(b, natrec(6, d, e)) (1) 

It now remains to show that natrec(6, d, e) £ (7(6). Then it follows from 
the meaning of the last premise that the value of (1) is a canonical element 
in (7(succ(6)) which by the extensionality of C is also a canonical element 
in (7(a). To show that natrec(6, d, e) £ C(b) we compute the value of 
natrec(6, d, e) by first computing 6. The value of 6 is either 0 or succ(c), 
where c £ N. 

(a) If the value of 6 is 0 then by a similar reasoning as in (1) we conclude 
that the value of natrec(6, d, e) is a canonical element in (7(6). 
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(b) Otherwise, if the value of b is succ(c), where c £ N, then we proceed 
as in (2) to show that the value of natrec(6, d. e ) is a canonical element 
in C(b). This method will terminate since all natural numbers are 
obtained by applying the successor function to 0 a finite number of 
times. 

If some of the constructions in the elimination rule are omitted, Peano’s fifth 
axiom is obtained: 

a £ N C(v) prop [v £ N] U(0) true C(succ(a;)) true [C(x) true] 
C(a) true 

Notice that the justification of the induction rule comes from N-elimination 
which was justified by using mathematical induction on the semantical level. Of 
course, neither N-elimination nor Peano’s fifth axiom can be justified without the 
knowledge that N is well-founded, which is something which we must understand 
from the inductive definition of the canonical elements in N, that is, from the 
introduction rules for N. 

Finally we have the equality rules, which are justified from the computation 
rule for natrec. 

N - equality 1 

C(v) set [v £ N] 
d £ 0(0) 

e{x,y) £ C l (succ(a:)) [igN, y £ C{x)\ 
natrec(0, d,e) = d£ 0(0) 

N - equality 2 

C(v) set [v £ N] 
a£ N 
d £ 0(0) 

e(x,y) £ 0(succ(x)) [igN, y £ C{x)\ 
natrec(succ(a), d, e) — e(a,natrec(a, d,e)) £ <7(succ(o)) 

The proposition in type theory corresponding to Peano’s fourth axiom needs 
the Universe set to be proved, so we have to postpone this until later. 

Example. The typing of the © -operator 

The constant ® was defined by 

©(a ;,y) = natrec(;r, y, (u, v) succ(u)) 

We will now formally show that 

©(a;,y) g N [igN, t/g N] 

By the rule of assumption we get 


igN [x £ N] 
y£ N [y £ N] 


(9.1) 

(9.2) 
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Assumption and N-introduction 2 give 

succ(u) e N [u e N] (9.3) 

By applying N-elimination on (9.1), (9.2) and (9.3) we get 

natrec(x, y, (u, v) succ(u)) € N [x e N, y e N] 
that is, by definition, 

©(;;;, y) e N [a: G N, y e N] 

Example. Peano’s third axiom 

Peano’s third axiom is that if the successor of two natural numbers are equal 
then the natural numbers are equal. We can formulate this in type theory as a 
derived rule: 


me N n e N succ(m) = succ(n) e N 
to = n e N 

In the derivation of this rule we will use the predecessor function pred, which is 
defined by 

pred = (x)natrec(a:, 0, (u, v)u) 

Since 0 e N and it e N [u € N], the definition of pred and N-elimination give 


pred(x) e N [i ? N] 

(9.1) 

Let to € N, n € N and 


succ(to) = succ(n) e N 

(9.2) 

By (9.1), (9.2) and Substitution in equal elements, we get 


pred(succ(m)) = pred(succ(ri)) € N 

(9.3) 

The definition of pred and N-equality 2 give 


pred(succ(m)) = m e N 

(9.4) 

pred(succ(n)) = n e N 

(9.5) 


Using symmetry and transitivity of judgemental equality on (9.3) - (9.5), we 
finally obtain 

m = ne N 

and, hence we have Peano’s third axiom as a derived rule. 

Instead of formulating Peano’s third axiom as a derived rule, we could ex¬ 
press it as a proposition, using an equality set: 

(Vx€N)(Vy€ N)(ld(N,succ(a;),succ(y)) D ld(N, x, y)) 

This proposition can be proved in a similar way as the derived rule, using the 
rules for Id instead of the rules for judgemental equality. Note that these two for¬ 
mulations of Peano’s third axiom are inherently different: the first formulation 
is about judgements but the second is a proposition. 



Chapter 10 

Lists 


In order to form the set of lists of elements in a set A, we introduce three new 
constants: List of arity 0—»0, nil of arity 0 and cons of arity 0®0—»0. If A is a 
set, then the canonical elements in List(T) are nil and consfo, l) where a is an 
element in A and l is an element in List(4). If a = a' € A and l = l' € List(T) 
then consfct, l) and consfet', l') are equal canonical elements in List(a). 

We have the following rule for forming list sets. 

List - formation 

A set 
List(T) set 

In order to be able to use infix notation when constructing lists, we make the 
definition 


a.l = cons (a,l) 


The introduction rules are: 
List - introduction 

nil e List(^4) 


a 6 A le LjstCA) 
a.l e List(.A) 


The primitive non-canonical constant listrec of arity 0®0®(0®0®0—»0)—»0 is 
introduced in order to express recursion on lists. The expression listrec(Z, c, e) is 
computed as follows: 

1. First compute l. 

2a. If the value of l is nil, then the value of listrec(Z, c, e) is the value of c. 

2b. If the value of l is a.h then the value of listrec(Z, c, e) is the value of 
e(a,Zi,listrec(Zi,c, e)). 

The following rules are justified in the same way as the corresponding rules for 
natural numbers: 
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List - elimination 
l S List(A) 

C(v) set [v £ List(A)] 
c e C-(nil) 

e(x,y,z) £ C(x.y) [x £ A, y £ List(^4), z € C(y)\ 
listrec(Z, c, e) £ C(l) 

List - equality 1 

C(v) set [v £ List(A)] 
ceC(nil) 

e(x, y, z) £ C(x.y ) [x £ A, y £ List(A), z £ C{y)\ 
listrec(nil, c,e) = c£ C(nil) 

List - equality 2 

a £ A 
l £ List(A) 

C(v) set [v £ List(A)] 
ceC'(nil) 

e(x,y,z) £ C(x.y )) [x £ A, y £ List(A), z g C{y)\ 
listrec(ai, c, e) = e(a, l, listrec(Z, c, e)) € C(a.l) 


Example. Associativity of append 

The function append concatenates two lists and is defined by 
append(h,l 2 ) = listrec(Zi, Z 2 , (x,y, z) x.z)) 

We will use the binary infix operator @ for append, 

R@l2 = append(li,l2) 

From the List-elimination rule, it follows directly that 

li@l 2 = \istrec(li,l 2 ,(x,y,z)x.z) £ List(A) [R £ List(A),/ 2 € List(A)] 

By applying List-equality to the definition of l\@l 2 we get the following equalities 

f nil@Z 2 = h € List(T) 
a.li@l 2 = a.(li@l 2 ) £ List(A) 

which are the usual defining equations for append. 

As a simple example, we are going to show how to formally prove that @ is 
associative, i.e. if p,q,r £ List(A) then 

p@(q@r) =List (A ) ( p@q)@r 

is a true proposition. We will write L instead of List(A). We first give the 
informal proof and then translate it to a proof in type theory. 

We sometimes use the following notation, introduced by Dijkstra, for infor¬ 
mal proofs: 
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ti 

{ informal argument why fj = fa } 
fa 

{ informal argument why fa = fa } 
fa 


This is sometimes generalized from equality to another transitive operator. 

The proof proceeds by induction on the list p. For the base case, we have to 
show that nil@(g@r) =l (nil@^)@r, which is done by simplifying the two sides of 
the equation: 


nil@(g@r) 

{ definition of @ } 
q@r 


(nil @q)@r 

{ definition of ©, substitution } 
q@r 


The induction step starts in a similar way and ends in using the induction 
hypothesis. We are going to show that ( x.y)@(q@r ) =l (( x.y)@q)@r from the 
assumption that y@(q@r) = L ( y@q)@r . First, the left hand side: 

(■ x.y)@(q@r ) 

= { definition of @ } 

x.(y@(q@r)) 


Then the right hand side: 

((x.y)@q)@r 

= { definition of @, substitution } 

(x.(y@q))@r 

= { definition of @ } 

x.((y@q)@r) 

=l { induction assumption, substitution } 
x.(y@(q@r)) 


The proof is by induction on the list p, so in type theory we use List- 
elimination. We have to prove the three premises 

1. p e L, which we already have assumed. 

2. Find an element in [nil@(g@r) =l (nil@g)@r]. 

3. Under the assumptions that x e A, y g L and z e [y@(q@r) = L (y@g)@r] 
find an element in [(a:.j/)@(g@r) =l ((x.y)@q)@r]. 
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The following is a formal proof of the two parts in the base step. First we 
have the simplification of the left hand side: 

qG L r G L xG A zG L , . 

--=- -=- LlSt-intro 

q@r G L x.z G L 

listrec(nil, (q@r), (x, y, z)x.z) = q@r G L ISt cquallty 

nil@( 9 @r) 

And then we have the simplification of the right hand side: 
x G A zgL L . st ^ 

nil e L x.z G L ™ r ° uG L r G L 

--- - - List-equality --- 

nil @5 = q G L u@r G L 

(nil «*</) *:<r* = q@r G L 

These two steps are combined using symmetry and transitivity of equality to 
obtain the conclusion 

nil@(g@r) = (nil@^)@r G L 
and hence, using Id-introduction, we get 

id(nil@(g r @r)) G [nil@(q , @r) =l (nil@g)@r] 

The induction step is formalized in almost the same way, the only compli¬ 
cation is in the last step where the induction assumption is used. Here we must 
switch from definitional equality to propositional equality, and therefore we will 
use the derived rules for substitution and transitivity from chapter 8. 

In the first part of the induction step we have shown that 

(. x.y)@(q@r ) = x.(y@(q@r)) G L 

and in the second part (except for the last step) 

((x.y)@q)@r = x.((y@q)@r) G L 

Id-introduction then gives 

id((a;.y)@(< 2 , @r)) e [(x.y)@(q@r) = L x.(y@(q@r))] (10.1) 

and 

id(a:.((j/@g)®r)) € [x.((y@q)@r) = L ((x.y)@q)@r] (10-2) 

We then apply the substitution rule for propositional equality on the induction 
assumption and the family 

P(u) = [x.(y@(q@r )) = L x.u] 


and obtain 

subst(z,\d(x.(y@(q@r)))) G [a:.(y®(g@r)) =l x.((y@q)@r)] (10.3) 

We can now use transitivity of propositional equality twice on (10.1), (10.3) 
and (10.2) to get 
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trans( trans( id ( (x.-y) @(q@r )), 

subst(z, id(x.(y@(g@r)))) 

! 

\d(x.{(yaq)®r)) 

) e [(x.y)@(5@r) = L (( x.y)mq)@r\ 

We can now combine the solution of the base step and the induction step, using 
List-elimination: 

listrec(p, 

id(nil@(g@r)), 

(x,y, u)trans(trans(\d((x.y)@(q@r)), 

subst(z , id(a:.(2/@(g@r)))) 

)> 

id(a:.((t/@g)@r)) 

) 

) e \p@(q@r) = L (p@g)@r] 

which concludes the proof. This example shows the practical importance of 
using the judgement form A true. The explicit element we have found in the 
set \p@(q@r) =l (p@< 7 )@r] is not a very interesting program. A more elaborate 
example is found in [99]. 
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Cartesian product of two 
sets 

If A and B are sets, then the cartesian product 
AxB 

can be formed. The canonical elements of this set are pairs 
(a,b) 

where a € A and b € B. The primitive noncanonical constant for the cartesian 
product is split of arity 0®(0®0—»0)—»0. If p £ A x B and e(x,y) e C((x,y}) 
under the assumptions that x € A and y £ C, then 

split(p, e) e C(p) 

which is evaluated as follows: 

1. split(p, e) is evaluated by first evaluating p. 

2. If p has value (a, b) then the value of split(p, e) is the value of e(a, b). 
The split expression is similar to a let expression in ML of the form 

case p of (x,y) => e(x,y) 

The ordinary projection operators are defined by: 

fst(x) = split (x,(y,z)y) 
snd(x) = split (x,(y,z)z) 

We will later see that the cartesian product A x B is a special case of the 
disjoint union ( T,xGA)B. 

11.1 The formal rules 

In order to define AxB, we have to introduce a new constant x of arity 0®0—»0. 
We will write AxB instead of x ( A, B). The set AxB is introduced by the 
rule 
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x - formation 

A set B set 

Ax B set 

In order to explain the set Ax B, we must explain what a canonical element 
in the set is and what it means for two canonical elements to be equal. For this 
purpose, we introduce a new constant (} of arity 0®0—»0. Instead of writing 
()(a, b ), we will write (a, b). The canonical elements in the set Ax B are given 
by the following rule: 

x - introduction 

a£A b£B 

(a,b) £ A x B 

So the canonical elements in the set A x B are of the form (a, b), where a £ A 
and b £ B. 

The elimination rule for the cartesian product is: 
x - elimination 

p £ Ax B C(v) set [v £ Ax B] e(x, y) £ C({x, y )) [x £ A, y £ B] 
split(p,e) £ C{p) 

We can justify this rule, using the computation rule for split and the semantical 
explanations, in the following way. 

The premise that p £ Ax B means that the value of p is a canonical element 
in the set Ax B, which by the introduction rule is of the form ( a,b }, where 
a £ A and b £ B. We are going to show that 

split(p,e) £ C(jp) 

i.e. that the value of split(p, e) is a canonical element in C(p). It follows from 
the computation rule for split that the value of split(p, e) is the value of e(o, b). 
The meaning of the second premise gives that 

e(a,b) £ C((a,b)) 

i.e. the value of split(p, e) is a canonical element in C((a , b)). 

From the premise 

C(v) set [v £ Ax B] 

it follows that 

C((a,b)) = C(p) 

since (a, b) = p £ A x B. Hence, canonical elements in C((a,b)) are also 
canonical elements in C(p), in particular the value of splitfp, e) is a canonical 
element in C{p). 

The computation rule also justifies the equality rule 
x - equality 

a£ A b £ B e(x,y) £ C((x,y)) [x £ A,y £ B] 
split((a, b), e) = e(a,b) £ C((a,b }) 


We can define logical conjunction by 
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and we get the usual natural deduction rules for conjunction by omitting the 
constructions in the rules above: 
k - formation 

A prop B prop 

AkB prop 

k - introduction 

A true B true 

AkB true 

k - elimination 

AkB true C prop C true [A true, B true] 

C true 


It is also convenient to have a constant for logical equivalence: 

A <&B = (ADB)k(BDA) 


Example. Projection is the inverse of pairing 

In the lambda-calculus it is not possible to define pairing and projection so 
that (fst(z ), snd(z)) converts to 0. In type theory we have only defined the 
computation rules for closed expressions. However, we can prove 

( z =axb {fst(z ), snd(z))) true [z e A x B] (1) 

in the following way. By x - equality and the definitions of fst and snd we get 

fst((x,y)) = x e A [xe A, ye B] 


and 


snd((x, y)) = y e B [x e A, y e B] 
x-introduction 2 then gives 

( fst((x,y)),snd((x,y ))) = {x,y) € Ax B [x € A, y e B] 

We can now apply symmetry and Id-introduction to the last equation to get 
id((z,y}) e {{x,y) =axb (fst((x,y)), snd((x,y)))) [x e A, y € B] 
from which we get, by x-elimination, 

splits, {x, y)\d((x,y))) e {z = A xb (Jst(z), snd(z))) [zeAxB] 


Hence, we have proved (1). 
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11.2 Extensional equality on functions 

That two functions / and g in a cartesian product II(A, B) are extensionally 
equal means that 


(Vxe A) \d(B(x), apply(/, x), apply (g, x)) 

is true. We cannot expect the equality expressed by Id to be extensional, i.e. 
we cannot expect 

(Vxe^) ld(S(x),apply(/,x),apply(5,x)) \d(H(A,B), f,g) 

to hold in general. Informally, we can see that in the following way. Since 
the set ld(II(A, £?),/, g) does not depend on any assumptions, it is nonempty 
if and only if / and g are convertible; this follows from a result mentioned in 
section 8.2. Hence, it is decidable whether ld(n(A, B), /, g) holds or not. But 
we cannot even expect 

(Vx€ N)ld(l\l,apply(/,x),apply(#,x)) 

to be decidable. However, Eq is extensional on a cartesian product: 

Theorem Under the assumptions / € n(A B) and g £ U(A, B) it holds that 

(VxeA) Eq(H(x),apply(/,x),apply(5,x)) <^> Eq(n (A,B),f,g) 

Proof: We first prove the implication from right to left. So let us assume 
Eq(n(A, B). f,g). By the strong Eq-elimination rule, we then obtain 

f = g&H{A,B) 


which, by equality rules, gives 

apply(/>) = apply(sr,x) e B(x) [x e A] 

Hence, by Eq-introduction, 

eq e Eq(£(x),apply(/,x),apply(ff,x)) 
which, by n-introduction, gives 

A((x)eq) e (Vxe A) Eq(B(x), apply(/, x), apply^, x)) 

as desired. 

For the proof of the implication from left to right, assume 
(Vxe A) Eq (B(x), apply(/, x), apply(p, x)) 

By n-elimination and the strong Eq-elimination rule, we then obtain 
apply(/,x) = apply(sr,x) e B(x) [x G A] 
which, by equality rules, gives 


A((x)apply(/, x)) = A((x)apply(p, x)) e n(A, B) 
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By reconversion, which we have in the theory with Eq-sets, we then obtaii 
f = gett(A,B) 

Hence, by Eq-introduction, 

eqeEq(H (A,B),f,g) 
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Chapter 12 

Disjoint union of two sets 


We introduce the constant + of arity 0®0—»0 to represent the disjoint union 
of two sets. We will often use infix notation instead of the standard prefix one, 
and, therefore, introduce the definition: 

A + B = +(A,B) 

To form A + B we have the rule 
H— formation 

A set B set 
A + B set 

In order to form elements in a disjoint union of two sets, we introduce the 
canonical constants ini and inr, both of arity 0—»0. 

Let A and B be sets. The canonical elements in A + B are given by the 
following introduction rules 
H— introduction 

a G A B set A set b G B 

inl(a) G A T B inr(6) G A T B 

The selector for A + B is the constant when of arity 0®(0—»0)®(0—»0)—»0. The 
expression when(c, d, e) is computed in the following way: 

1. Evaluate c to canonical form. 

2a. If the value of c is of the form inl(a), then continue by evaluating d(a). 
2b. If the value of c is of the form inr(fe), then continue by evaluating e(b). 

From this computation rule, we get the elimination rule: 

H— elimination 


cG A+B 

C(v) set [u G A + B] 
d(x) G C(inl(a;)) [x G A] 
e(y) G C(inr(y)) [y G B] 
when (c,d,e) G C(c) 
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We also get the equality rules: 
+ - equality 


a£ A 

C(v) set [veA + B] 
d(x) £ C( inl(z)) [x G A] 

e(y) £ Cjinrjy)) [y G B] _ 

.W'hen(inl(w), d‘ % ej — G tp(ihlfaj|' 

b £ B 

C{v) set [v £ A + B\ 
d(x) £ C(inl(*)) [x £ A] 

e(y) £ C(\nr{y)) [y £ B] _ 

when(inr(6),d,e) = e(b) £ ^(in^^)) 

Having defined disjoint union, we can introduce disjunction by the definition: 
A\/ B = A + B 

and from the rules for +, we get the natural deduction rules for V: 

V - formation 

A prop A prop 
Ay B prop 

V - introduction 

A true B true 

Ay B true Ay B true 


V - elimination 

Ay B true C prop C true [A true] C true [B true] 


C true 



Chapter 13 

Disjoint union of a family of 
sets 


In order to be able to deal with the existential quantifier, we will now generalize 
the cartesian product of two sets to disjoint union on a family of sets. We 
therefore introduce a new constant £ of arity 0®(0—»0)—»0. Let A be a set and 
B a family of sets over A, i.e. 


B(x) set [x e A] 

then we may conclude that £(A, B) is a set. So we have the formation rule 
£ - formation 


A set B(x) set [a; € A] 

T,(A,B) set 

A canonical element in the set £(A, B) is of the form (a, b) where a is an element 
in the set A and b an element in the set B(a). Two canonical elements (a, b) and 
(a', b') are equal if a = a' e A and b = b' e B(a). So we have the introduction 
rule 

£ - introduction 

a e A B(x) set [x e A] b e B{a) 

(a, b) e £(A,E) 

We get the cartesian product of two sets if we make the following definition: 
AxB = -£(A, (x)B) 

In the chapter on cartesian product of two sets, we introduced the non-canonical 
constant split. The computation rules for split justify the elimination rule 
£ - elimination 

ce£(A,B) 

C(v) set [v€£(A,B)] 

d(x, y) € C((x, y)) [x e A, y e B(x)] 

split(c,d) eC(c) 
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and the equality rule 
E - equality 


a € A 
b e B(a ) 

C(v) set [v e E(A, B)] 

d(x,y) e C((x,y)) [x e A, ye B(x)] 

sptit( (a, b),d) = d(a,b ) e C({a>6}) 

We can show that the elimination rule is correct by assuming the premises 
c e E(A, B) and d(x,y) e C((x,y)) [x e A,y e B(x)\. The value of split(c, d) is 
computed by first computing c. By the meaning of the first premise, the value 
of c is (a, b) where a e A and b e B(a). The value of split(c, d) is then the value 
of d(a, b) which, by the meaning of the second premise and the extensionality 
of C, is a canonical element in C(c). 

The equality rule is immediately justified from the way split((a, b }, d ) is com¬ 
puted. 

In order to use a notation which is more similar to the existential quantifier, 
we make the definition 


(E xeA)B(x) = E (A,B) 

We can now introduce the existential quantifier: 

(3xeA)B(x) = (FxeA)B(x) 

By omitting some of the constructions in the rules for the E-set, we get the 
natural deduction rules for the existential quantifier: 

3 - introduction 

a e A B(a) true 
(3xeA)B(x) true 

3 - elimination 

(3xeA)B(x) true C prop C true [x e A, B(x) true) 

C true 

Example. All elements in a £ set are pairs 

We will prove that the proposition 

(VpeE (A, B))(3a e A) (36 eB(a)) (p = E(A , S) (a, 6}) 

is true for an arbitrary set A and an arbitrary family B of sets over A. 

Assume that p € E(A, B). We will prove that the proposition 

(3aeA)(3beB(a)) (p=^a,b) (a,b }) 

is true by E-elimination. So, we assume that x e A and y € B{x) and try to 
prove (3a e A)(3b e B(a)) ((x,y) = E (a,b) (a, 6}) . But this is immediate from 
the facts that x e A and y e B(x), since then we get that (x, y) = E (a,b) (x, y) is 
true by Id-introduction. And then we can use 3-introduction twice to conclude 
that (3aeA)(3beB(a)) (x,y ) = E (a,b) (a, 6). Finally, we get the desired result 
by an V-introduction. 




Chapter 14 


The set of small sets 
(The first universe) 

14.1 Formal rules 

The idea behind the set of small sets, i.e. the first universe, is to reflect the set 
structure on the object level. In programming we need it for many specifications 
when the most natural way of expressing a proposition is to use recursion or 
conditionals. We also need it in order to prove inequalities such as 0 ^|\| succ(O) 
(see later in this section). It is also necessary when defining abstract data types 
in type theory (see chapter 23). 

We shall first introduce a set U of small sets, where U is a primitive constant 
of arity 0, which has constructors corresponding to the set forming operations 
{*i, ■ • ■ ■ i n }■ N, List, Id, +, II, E, and W. The set forming operation W is used 
to represent well-orderings in type theory and is introduced in chapter 15. We 
start by introducing the following primitive constants: {fy,..., i n } and N of arity 
0, List of arity 0—»0, Id of arity 0®0®0—»0, + of arity 0®0—»0 and II, E and 
W of arity 0®(0—»0)—»0. 

A problem with the set U is that, because of the enumeration sets, the 
number of constructors is not fixed; this makes it impossible to formulate an 
induction principle for U. We will therefore, in section 14.2, change the set 
structure and the set of small sets in order to justify an elimination rule for 
the universe. One motivation for this is to introduce a selector urec, which is 
necessary for doing computations with the elements in the set of small sets. 

The set of small sets is defined by giving its canonical elements and their 
equality relation. The idea is to let each canonical element represent (code) a set 
formed by using the set forming operations mentioned earlier. Simultaneously 
with the definition of the canonical elements, we will define a family of sets 
Set(x) set [x € U] which decodes the elements in the universe to the set they 
represent. The canonical elements are given by the introduction rules. 

U - formation 

U set 

U - introduction 1 

{*i,..., i n } € U 
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Set- introduction 1 

Set({ii,^^ w }) = {ij. ,*„} 


U - introduction 2 

NeU 

Set - introduction 2 

Set(N) = N 

U - introduction 3 

deu 

List(A) e U 

Set - introduction 3 

deu 

Set(List(A)) = List(Set(A)) 

U - introduction 4 

4eU 

a £ Set(A) b £ Set(dL) 


\d(A,a,b) £ U 

Set - introduction 4 

AgU 

a £ Set(A) b £ Set(A) 

Set(id (A,a,b)) = ld(Set(A),o,6) 

U - introduction 5 

A£U B£ U 


A+B £ U 

Set - introduction 5 

A£U B£ U 

Set (A+B) = Set(A) + Set(B) 

U - introduction 6 

deu 

B(x) £ U [x € Set(.A)] 


H(A,B) 6 U 

Set - introduction 6 

deu 

B(x) £ U [x € Set(A)] 


Set(fl(A, B)) = n(Set(A), (*)Set(B(a:))) 
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U - introduction 7 

A e U B(x) e U [x e Set(A)] 

S(i4,B) € U 

Set - introduction 7 

16U B(a) G U [x G Set(A)] 

Set(S(A, B)) = E(Set(A), (x)Set(B(x))) 

U - introduction 8 

leu B(a) eU[ie Set(A)] 

V®B) IS§ 

Set - introduction 8 

16U B(a) eU[ie Set(A)] 

Set(W(A, B)) = W(Set(A), (®)Set(B(®))) 

The formation rules for the set of small sets are justified by the way the 
canonical elements and their equality relation were introduced. The formation 
rules are: 

Set - formation 1 

dgU 

Set(A) set 

Set - formation 2 

d = BeU 
Set(A) = Set(B) 

The premise igll means that the value of A is a canonical element in the 
set U, and since Set(a;) is defined to be equal to a set whenever a; is a canonical 
element in the set U, we may conclude that Set(x) is a set. And, similarly, 
A = B £ U means that A and B have equal canonical elements in the set U 
as values. The corresponding sets must therefore be equal, since the equality 
relation between the canonical elements in the set U exactly corresponds to the 
set equality relation. 

We shall often use the same notation for the elements in the set U and the 
sets they represent. From the context, it is always possible to reconstruct the 
correct notation for the expressions. For example, instead of 

Set(natrec(n, Bool, (x, FjBool^F)) 


ve write 


iatrec(n, Bool, (a:, T)Bool —► Y) 
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Example. Peano’s fourth axiom 

When we have introduced the universe set we are able to prove that the propo¬ 
sition 

0 succ(n) 

is true for an arbitrary neN. That is, if we express it in terms of sets, we can 
construct an element peanoj. in the set 

ld(N, 0, succ(n)) —> {} 

We will do this by assuming that the set ld(N, 0, succ(n)) is nonempty and 
show that we then can construct an element in the empty set. We will use 
substitutivity of propositional equality on a predicate over the natural numbers 
which is true only for the number zero. 

We start by assuming n g N and x g ld(N, 0, succ(n)). By using N-elimination, 
we get 

natrec(m, T, (y, z){}) g U [to g N] 

We make the definition 

Is-zero(m) = Set(natrec(m, T, (y, z){})) 

From N-equality and Set-formation we get the set equalities 
Is.zero{ 0) = Set(T) = T 
Is-zero(succ(n)) = Set({}) = {} 

Using substitutivity of propositional equality we get that 
subst(x, tt) g Is-zero(succ(n)) 
which by Set-equality yields 


subst(x,tt) g {} 

Finally, by -►-introduction, we discharge the second assumption and obtain 
X((x)subst(x,tt)) € ld(N, 0, succ(n)) —> {} [n g N] 


So we may put 

peano4 = X((x)subst(x,tt)) 

and we have a proof of Peano’s fourth axiom. 

In [101] it is shown that Peano’s fourth axiom cannot be derived in type 
theory without universes. The proof is based on interpreting set theory without 
a universe in a domain with only two elements. So, a truth valued function <p is 
defined on the sets and, intuitively, <p(A) — T means that the interpretation of 
the set A is a set with one element and <p(A) = T means that A is interpreted 
as the empty set. ip is defined for each set expression A{x -\,..., x n ) by recursion 
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on the length of the derivation of A(xi ,..., x n ) set [x\ £ Ai, . . . , x n £ 
A n (x i,... ,x n -\)\, using the clauses 


<^({}) 
<p{{h, ■ ■ ■ ,i n }) 
V(N) 
<^(ld(A, a, b)) 
ip(A + B) 
V >((Ux£A)B(x)) 
ip((ZxeA)B(x)) 
<p((\NxeA)B(x)) 
¥>({* £ A | £(*)}) 


ip(A) 

V{A) V <p(B) 

<p(A) -* ip(B(x)) 
y(A)/\y(B(x)) 
V{A) A (^(B(z))) 
<p{A)A w{B{x)) 


Here A, V, —and -• denote the usual boolean operations. 

That <p really interprets set theory in the intended way is the content of the 
following theorem, which is proved in [101]. 

Theorem Let a{x -\...., x n ) £ A(xj ...., x n ) be derivable in set theory without 
universes under the assumptions x-\ £ A- t . . . . , x n £ A n (x i,... Then 

>p(A(x 1 ,...,x n )) = T if <p{A{) = ■ • • =ip(A n (x i,...,x„_i)) = T. 

By the interpretation we can now see that for no type A and terms a and b 
does there exist a closed term t such that 


t £ ild(A, a, b) (*) 

is derivable in type theory without universes. Assume that (*) holds. Then 
there must exist a derivation of Id (A,a,b) set and, hence, also a derivation of 
a £ A. So, by the theorem, ip(A) = T which, together with the definitions of <p 
and gives 

M(A : aJ>)) = v>(ld (A,a,b) -» {}) = <p(ld(A,a,6)) = 

<P{A) -4$= T 

Hence, by the theorem, —>ld(^4, a, b) cannot be derived in type theory without 
universes. 

Assume that Peano’s fourth axiom can be derived, that is, that we, for some 
closed term s, have a derivation of 

s £ (nx€ N)-ild(N,0,succ(a:)) 

By n-elimination we get apply(s, 0) £ —ild(N, 0, succ(0)) which is of the form (*) 
and therefore impossible to derive in type theory without universes. 


Example. The tautology function 

A disadvantage with many type systems in programming languages is that some 
expressions, although perfectly reasonable, can not be assigned a type. The 
type systems are not well suited to express some properties needed for a safe 
evaluation of the expression. As an example, take the tautology function from 
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the SASL manual [110]. It determines if a boolean expression of n variables 
(represented as a curried function of n arguments) is a tautology or not. The 
function is defined, using SASL-notation, as: 

taut Of = f 

taut n f = taut(n - 1) (/ true) and taut(n — 1) (/ false) 

Since SASL is untyped, the function is not assigned a type and for most other 
typed languages the definition causes a type error. Informally the type of taut 
is 

(Iln e N)((Bool —> M Bool) —> Bool) 
where (Bool —>” Bool) is defined by the equations 

Bool —>° Bool = Bool 
Bool —» fc+1 Bool = Bool —> (Bool —> k Bool) 

So, for example, 

taut 0 e Bool —> Bool 

taut 3 € (Bool —> Bool —> Bool —> Bool) —» Bool 

and we can see that the type of the second argument depends on the value of 
the first. 

The type of taut can be expressed using the set U in type theory. Make the 
following definitions: 

and(x,y) = if x then y else false 

F(n) = natrec(n, Bool, (x, F)Bool —> Y) 
taut(n) = natrec(n, 

A ((/)/), 

{x,y)\((f)and(y ■ (/-true), 

V ■ if ■ false)))) 

Notice that we have used the infix version of the constant apply, 


x-y = apply (x,y) 

From these definitions, it immediately follows that 

and(x,y) € Bool [a: € Bool,t/ € Bool] (14.1) 

F( 0) = Bool e U (14.2) 

F(succ(a:)) = Bool F(x) e U [x € N] (14.3) 

Using Set-formation on (14.2) and (14.3), we get the set equalities 

F( 0) = Bool (14.4) 

F(succ(a;)) = Bool —> F(x) [x e N] (14-5) 


The goal is to prove: 


\((n)taut(n)) € (Iln e N)(F(n) —> Bool) 
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so we start by assuming that 

ne N 

and then prove taut(n) e F(n) —► Bool by induction on n. We first have the 
base case. It is easy to see that 

A((/)/) € Bool -► Bool 

and, since we from (14.4) and -►-formation get the set equality 
F( 0) —► Bool = Bool —> Bool 

we can conclude that 

A((/)/) e F( 0) - Bool (14.6) 

For the induction step, we make the assumptions 
ieN 

y e F(x) Bool 

The goal is to prove 

A ((f)and(y • (/ • true), y • (/ • false))) e F(succ(x)) -*• Bool 
We therefore make the assumption 

/ e F(succ(x)) (14.7) 

From (14.7) and the set equality (14.4), we get 
/ e Bool F(x) 

and then by -►-elimination 

/ • true e F(x) 

/ • false e F(x) 

and furthermore by using the induction hypothesis 
y ■ (/ • true) € Bool 
y ■ (f ■ false) € Bool 

By substituting these elements into (14.1), we obtain 

and(y ■ (/ • true), y ■ (/ • false))) e Bool 
By -►-introduction, we discharge assumption (14.7) and get 

A ((f)and(y ■ (/ • true),y • (/ • false))) e F(succ(a:)) -► Bool (14.8) 

We can now use N-elimination on (14.6) and (14.8) to obtain 
taut(n) G F(n) —> Bool 

and finally, by II-introduction, we get the desired result 


X((n)taut(n)) € (Iln e N)(F(n) -► Bool) 
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Example. An expression without normal form in the the¬ 
ory with extensional equality 

A canonical element in the set (IIxS A)B(x) is of the form X(b) where b(x) e 
B(x) [x e A] and the expression b(x) is not further evaluated. We have already 
remarked that evaluating b(x) would be the same as trying to execute a program 
which expects an input without giving any input. Using the extensional equality 
Eq and the universe in a crucial way, we will now give an example of a lambda- 
expression X(b) in the set {} -4 A, where, by regarding the evaluation rules as 
reduction rules, b(x) does not even terminate. 

By the use of the set of small sets, we will show that 

Set(A) = Set(-B) [A e U, B e U, x G {}] (14.1) 


Assume 

Since Eq(U, A, B) is a set, we get by {}-elimination that 

case 0 (x) € Eq(U, A, B) [A e U, B e U, x e {}] 

and by strong Eq-elimination it follows that 

A=BeU[AeU,BeU,j)6{}] (14.2) 

Set-formation 2 and (2) gives 

Set(A) = Set(-B) [A € U, Be U, x € {}] 

and, hence, we have a derivation of (1). 

Now assume 

* G {} (14-3) 

By choosing A to be N and B to be N^N, we get from (1) 

N = N -*■ N (14.4) 

Assume 

y e N (14.5) 

One of the rules for set equality applied on (4) and (5) gives 

ye N — N (14.6) 

From (5) and (6) we get, by -►-elimination, 

apply(y,y)eN (14.7) 

and from (7) we get, by -►-introduction, 

Ay.apply(y,y) € N —► N (14.8) 

thereby discharging the assumption (5). (6) and (8) give 


Aj/.apply(y, y) e N 


(14.9) 
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We can now apply -►-elimination on (8) and (9) to get 

apply(Ay.apply(y,y), Ay.apply(y, y)) € N 
and ^-introduction finally gives 

Ax.apply(Ay.apply(y,y), Aj/.apply(y,y)) € {} —> N 
thereby discharging the assumption (3). The expression 
apply(Ay.apply(y, y), Ay.apply(y, y)) 

is the well-known example from combinatory logic of an expression which re¬ 
duces to itself. Since this expression is not on canonical form, we have an 
example of a lambda-expression which is an element of a II-set and whose body 
does not terminate. Notice that there is no violation of the arity rules when 
forming apply(y, y) because apply is of arity 0®0—»0 and y is a variable of arity 
0. 

14.2 Elimination rule 

With a set of small sets that reflects a set structure with infinitely many set 
forming operations, it is impossible to justify a structural induction rule on 
the set. In order to be able to introduce such an induction rule, the small 
enumeration sets, i.e the sets {i \,.must be generated from finitely many 
basic enumeration sets. We shall therefore modify the system of set forming 
operations, and consequently also the set of small sets, to make room for an 
induction rule on the elements of the universe. The modified system will only 
contain two basic enumeration sets, the empty set and a set with one element 
(see the section on enumeration sets); the other enumeration sets are generated 
from these two sets by means of the disjoint union. With a set structure with 
only these two enumeration sets, we get a set of small sets where the first U- 
introduction rule is replaced by the rules: 

U - introduction la 

0 e U 
Set(0) = 0 

and 

U - introduction lb 

TeU 
Set(f) = T 

An enumeration set with more than one element is formed by repeated use of 
the T set and the disjoint union. We introduce the function constant N' of arity 
0 by the definition: 

N'(a;) = natrec(x, 0, (u, ujS'fy)) 


where 
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S'(x) = T+x 


So 


Set(S'(i4)) set [A G U] 


(14.10) 


and N' applied to a natural number n gives an element in U, which corresponds 
to an enumeration set with n elements. We can now prove that 


N'(a;) G U [x G N] (14.11) 

N , (succ(x)) = S^N^af}) G U [x g N] (14.12) 


From 14.11, we get, by Set-formation, 

Set(N , (a:)) set [x G N] 

Moreover, simplification gives us: 

Set(N , (0)) = 0 
Set(N , (l)) = T + 0 

with the element inl(tt), and 

Set(N / (2)) = T+(T+0) 

with elements inl(tt) and inr(inl(tt)), and so on. If the enumeration sets de¬ 
fined here are compared with the enumeration sets in [69] then Set(N'(&)) 
corresponds to INI*,, inl(tt) corresponds to 0* and inr(inr(... inr(inl(tt))...)) cor¬ 
responds to rife, with n being the number of ‘inr’-applications. 

By making the definitions: 


o' 
s'(a;) 
seas e'(x,y,z) 


inl(tt) 

inr(x) 

when(a;, (w)y, z) 


where o', s' and scase' are constants of arity 0, 0^0 and 0®0®(0—»0)—»0 
respectively, we can prove the judgements 


o' G Set(S , (^4)) [A G U] 

(14.13) 

s'(z) G Set(S'(^4)) [4 G U, x G Set(A)] 

(14.14) 

seas e'(x,y,z) G Set(C'(a;)) 

[A G U, X G Set(S'(A)), C(u) G U [tiG Set(S'(A))], 
y G Set(C(o')), z(v) G C(s'(n)) [v G Set(A)]] 

(14.15) 

scase'(o', y, z) =j/G Set(C'(o')) 

[4gU, C(u) g U [u g Set(S'(^4))], 
y G Set(C(o')), z(v) G C(s’(v)) [v G Set(A)]] 

(14.16) 

scase'(s'(x),y,z) = z(x) G Set(C(s'(a;))) 

[A G U, x G Set {A), C(u) G U [u G Set(S'(A))], 
y G Set(C(o')), z(v) G C(s») [v G Set(A)]] 

(14.17) 
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Per Martin-Lof has given a more direct formulation of the enumeration 
sets by introducing the set former S as a primitive constant with the follow¬ 
ing rules (compare with the theorems (14.10), (14.13), (14.14), (14.15), (14.16) 
and (14.17) above): 

S- formation 

A set 
S(A) set 

S- introduction 


o € S(A) 


a £ A 
s(a) € S (A) 


S- elimination 

a € S(A) b £ C(o) c(x) £ C , (s(a;)) [a; € A] 
sease(a, b, c) £ C(a) 


S- equality 


b £ C(o) c( x) £ C(s(x)) [a g A] 
scase(o, b,c) =b £ C( o) 

a £ S(A) b £ C(o) c(x) £ C(s(x)) [x £ A] 
scase(s (a),b,c) = c(a) £ C(s(a)) 

Given the reformulated set of small sets, we can now justify a structural 
induction rule, which is introduced as follows. First we introduce urec as a 
constant of arity 


0 ® 0 ® 0 ® 0 ® 

( 0 ® 0 —» 0 ) ® 

( 0 ® 0 ® 0 ® 0 —» 0 )) ® 

( 0 ® 0 ® 0 ® 0 —» 0 )) ® 

( 0 ®( 0 —» 0 )® 0 ®( 0 —» 0 )—» 0 ) ® 

( 0 ®( 0 —» 0 )® 0 ®( 0 —» 0 )—» 0 ) ® 
( 0 ®( 0 ^ 0 )® 0 ®( 0 ^> 0 )^ 0 ) 

^0 

and we then define how urec( A ai,..., dg) is computed by the following rules 
(a => b means that b is the value of a). 


a => 0 ai =>■ b 

urec(a, di, d2,0:3, d4, ds, dg, d7, ds, dg) =>• b 

a => T d2 => b 
urec(d, di, d2,..., ag) => b 

a =» N d 3 => & 
urec(d, di, d 2 ,..., dg) => b 
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a => List(A) 04 (A, urec(A, ai, a 2 , •••, ag)) => b 
urec(a, ai, a 2 ,..., ag) => b 

a =>■ ld(A, c, d) as(A,c,d, urec(A, ai, ...,ag)) =>■ b 
urec(a,oi,a 2 , ...,ag) => b 

a => A+B a 6 (A, B, urec(A, oi,ag), urec(B, ai,..., ag)) => b 
urec(a, ai, a 2 ,ag) =>■ b 


a => n(A, B) 

a 7 (A, B, urec(A, ai,. 

.., ag), (lo)urec(B(iu), ai,.. 

.,a 9 )) => b 


urec(a,ai,a 2 , 

—,ag) => b 


a =>■ £(A, B) 

as (A, B, urec(A, ai,. 

• ag), (iy)urec(B(tu), ai,.. 

•> ag)) => b 


urec(a,ai,a 2 , 

-,ag) => b 


a=> W(A,B) 

a g (A, B,u rec( A, ai, 

..., a 9 ), (lo)urec(B(tu), ai,.. 

,.,a 9 )) =* b 


urec(a, ai, a 2 , 

...,a 9 ) =» b 


A restriction in these rules is that w must not occur free in B, ai, 
It would otherwise be bound in (w)urec(B(w), ai, ...,ag). 

..., as or ag. 


The computation rule for urec justifies the following elimination rule for the 
set of small sets: 


U- elimination 
ae U 

C(v) set [u G U] 
ai G (7(0) 
a 2 G (7(f) 
a 3 G <7(N) _ 

ai(x,y) G <7(List(ar)) [i£U, y G C(x)\ 

a*,(x,y,z,u) G C(\d(x,y,z)) [x € U, y e Set(a;), z G Set(x), uGC(x)\ 
a 6 (x,y, z,u) G C(x+y ) [ieU, y G U, z G C(x), u G <7(y)] 
a 7 (x,y, z,u) G C(H(x,y)) [x G U, y(v) G U[u G Set(x)], 

* e C(x), u(v) G C(y(v))[v G Set(x)]] 
ag(x,y, z,u) G C(E(x,y)) [x G U, y(v) G U[u G Set(a;)], 

* e C(x), u(v) G C(y(v))[v G Set(*)]j 
a 9 (x,y,z,u) G C(W(x,y)) [x G U, y(v) G U[u € Set(x)], 

_ * g C(x), u(v) G C{y{v))[v G Set(x)]] 

urec(a, ai, a 2 , a 3 , 04 , as, a 6 , a 7 , as, ag) G (7(a) 

Here x, y, z and u must not occur free in the abstraction (7. In the following 
rules we will not write down the premise C(v) set [u G U]. 

We also have an elimination rule where the premises and conclusion are of 
the form a = b G A. Furthermore, the computation rule for urec justifies the 
following equality rules. The last 9 premises of all the equality rules are the 
same as the last 9 premises of the elimination rule above. 

U- equality 1 

ai € (7(0) a 2 € (7(f) . . . a 9 (.r, y, z, u) G nWl.r, y)) [, , ,] 

urec(0, ai, a 2 , a 3 ,04, as, a6, a 7 , as, ag) = ai G (7(0) 
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U- equality 2 

a i e <7(0) « 2 e c( T) ... g 9 (x, y , Z, u) e C(Wfo y)) [...] 

urec(T, oi, 02,03, 04, as, a6, a?, as, ag) = a2 € ( 7 (T) 

U- equality 3 

O! e c( 0 ) «2 € C(T) ... ag(x, y, z, u ) € C(\N(x,y)) [...] 

urec(N, oi, 02,03,04,05,a6,07,as,ag) = 03 G ( 7 (IM) 

U- equality 4 

AgU ai eC(0) ... a 9 (x,y,z,u) G C'Q/V^)) [...] 

urec(List(A), ai,..., a 9 ) = 04(A) urec(A, ai,..., a 9 )) G ( 7 (List(A)) 

U- equality 5 

AgU 
c G Set(A) 

d G Set(A) ai G ( 7 ( 0 ) 

a 9 (x, y, z, u) G C(W(x, y)) [...] 
urec(ld(A, c, d), ai, ..., a 9 ) = 
a 5 (A, c, d, urec(A, ai, ..., a 9 )) G < 7 (ld(A, c, d)) 


U- equality 6 

Ag U 
Be U 
ai G (7(0) 

g 9 (a;, y, z, u) G C(W(a;, y)) [...] _ 

urec(A+B, ai,..., a 9 ) = 

06(A, B, urec(A, ai..., a 9 ), urec(S, ai,..., ag)) G C(A+B) 


U- equality 7 
Ag U 

B(x) e U [x G Set(A)] 
ai G (7(0) 

a 9 (x,y, z,u) eC(\N(x,y)) [■ ■ ■] _ 

urec(II(A, B), 01 ,..., ag) = 

07 (A) B, urec(A, ai,..., o 9 ), (w)urec(B(w), oi,..., a 9 )) G (7(II(A, B)) 
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U- equality 8 
ieU 

B(x) eu[ie Set(A)] 

O! e <7(0) 

g 9 (cc, y,z, u ) € (7(W(x, y)) [...] _ 

urec(£(A, B), oi,..., a 9 ) = 

a 8 (A, urec(A, oi,..., a 9 ), ('u;)urec(/S(u.>),aj...., a 9 )) € <7(X!(.A, B)) 


U- equality 9 
Ae U 

B(x)€U[x€ Set(A)] 
ai € (7(0) 

a 9 (x,y,z,u) e C(W(x,y)) [■ ■ ■] _ 

urec(W(A, B), ai,..., a 9 ) = 

ag(A, B, urec(A, ai,..., a 9 ), (w)urec(.B(w),o 9 )) e (7(W(A, B)) 

The variables x, y, z and u must not occur free in C, and there must be no 
free occurrences of w in B, a±, ... or o 9 . 




Chapter 15 

Well-orderings 


In order to introduce the well-ordering set constructor (or well-founded tree set 
constructor) we introduce the primitive constants 

W of arity (0®(0—»0))—»0 
sup of arity (0®(0—»0))—»0 
wrec of arity 0®(0®(0—»0)®(0—»0)—»0)—»0 

With the well-order set constructor we can construct many different sets of 
trees and to characterize a particular set we must provide information about 
two things: 

• the different ways the trees may be formed, and 

• for each way to form a tree which parts it consists of. 

To provide this information, the well-order set constructor W has two arguments: 

1. The constructor set A. 

2. The selector family B. 

Given a constructor set A and selector family B on A, we can form a well-order 
W(T, B) (two other notations are (\Nx€ A)B(x) and \N a& AB{x)). The formation 
rule therefore has the following form: 

W - formation 


A set B(x) set [x e A] 

\N{A, B ) set 

The elements in the set A represents the different ways to form an element in 
W(A, B) and B(x) represents the parts of a tree formed by x. 

The elements of a well-order W(A, B) can, as we already mentioned, be seen 
as well-founded trees and to form a particular element of W(.4, B) we must say 
which way the tree is formed and what the parts are. If we have an element a in 
the set A, that is, if we have a particular form we want the tree to have, and if we 
have a function from B(a) to W(.4, B), that is if we have a collection of subtrees, 
we may form the tree sup(a, b). We visualize this element in figure 15.1. The 
introduction rule has the form 
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W - introduction 

a € A b(x)e\N(A,B) [x G B{a)] 
sup (a, 6) e\N{A,B) 

It may seem strange that we do not have a particular introduction rule for 
the leaves, but we get the same effect if we choose B(x) to be the empty set for 
some x £ A. In the introduction rule we can see that we must provide a function 
from B(x) to \N(A,B) in order to form an element supfa, b). In the case when 
B(x) is the empty set, we use a small “trick” to provide such a function. From 
the assumption x £ {}, we can, by using the {}-elimination rule, conclude that 
case{}(a:j is an element of an arbitrary set, and in this case we of course choose 
\N(A,B). So if B(a) is empty, then (x)case{}(x) = casejj is a function from 
B(a) to \N(A,B) and sup(a, case{}) is an element of W(A, B). 

Let us take a simple example. We want to construct a well-order set to 
represent simple binary trees which, for example, could be defined in ML [72] 
by 

datatype BinTree = leaf \ node of BinTree * BinTree 
There are two different ways of constructing a binary tree, one to construct 
a leaf and one to construct a compound tree. The constructor set A must 
therefore contain two elements, and we can for example use the enumeration 
set { leaf node}. A leaf does not have any parts, so B(leaf) must be the empty 
set, and a compound tree has two parts, so we can choose B(node) as the set 
{left, right}. Putting this together, we get a well-order set 

BinTree = \N({leaf node}, (a:)Set(case{; ea / ino d e }(a;, {}, {left, right}))) 

which has representations of all binary trees as elements. Notice that we must 
use the universe set to construct the family B. The elements of this well-order 
are always of one of the forms 

sup(fea/, case{}) sup(node, (a;)cas £{i e ft, r ight}{x,t',£')) 

where t! and t" are two elements in W(T, B). By introducing definitions 
leaf = sup(tea/, case) 
node'{t',t") = sup(node, (a^case^t'jt")) 
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we get expressions for the elements that look just like the corresponding ML 
expressions. 

The non-canonical constant in a well-ordering is wrec and the expression 
wrec(a, b ) is computed as follows: 

1. Compute the value of a. 

2. If the value is sup(d, e), then the value of wrec(a, b ) is the value of 
b(d, e, (x)wrec (e(x),b)). 

The computation rule for wrec justifies the following elimination rule: 

W - elimination 
ae\N(A,B) 

C(v) set [veW(A,B)l 
b(y,z,u ) € C(sup(j/,2)) 

[y g A, z(x) € W(A, B) [x g B(y)], u(x) g C(z(x)) [x € B(y)}} 
wrec(a, b) e C(a) 

and the following equality rule 
W - equality 
deA 

e(x)s\N(A,B) [x e B(d)} 

C(v) set [v € W (A, B)] 
b(y,z,u) 6 C(sup(y,z)) 

[y g A, z(x) € W(T, B) [x g B(y)], u(x) g C(z(x)) [x g B(y)}} 
"wrec(sup(d, wrec(e($)j h)| ^C f {sup(cf,e)j 

As an example of how the non-canonical constant can be used, we define the 
function that counts the number of nodes in a binary tree and which in ML 
could be defined by: 

fun nrofnodes(leaf) = 1 

nrofnodes(node(t' ,t")) = nrofnodes(t') + nrofnodes(t") 

In type theory this function could be defined by 

nrofnodes{x) = wrec(x, (y, z, u)case(y, 1, u(left) + u{righ£))) 

Using the elimination rule, we immediately see that 

nrofnodes{x) e N [i€ BinTree] 

and using the equality rule, we immediately get the equalities that correspond 
to the ML definition. 

In the same way as we above introduced defined constants to get a nicer 
syntax for the elements of the type BinTree , we can make a definition and get 
a constant that behaves just like a recursion operator on binary trees. 

trec'(t, a, b) = wrec(t, (x,y, z)case(a;, a, b(y(left),y(right), z(left), z(right)))) 
The equality rule for wrec corresponds to the equalities: 
tree' (leaf , a, b) = a 

tree'(node 1 (t',t"), a, b ) = b(t', t", trec'(t', a, b), tred(t", a, b)) 
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And the function counting the number of nodes, which we defined above, can 
then be defined as 

nrofnodes = trec'(x, 1, z', z") z'®z") 

Example. Defining the natural numbers as a well-ordering 

It is not difficult to see that the set of natural numbers can be defined by the 
following abbreviations: 

N = (Wx £ {zero, succ}) Set(case(a;, {}, T)) 

0 = sup(zero, case) 

succ(a) = sup(s«cc, ( x)a ) 

natrec(a, b, c) = wrec(a, (y, z, u)case(y, b, c(z(tt), «(tt))) 

The idea is to let the ruth natural number be represented by a thin tree of height 
n. We immediately see from the W-formation rule that 

(Wx £ {zero, succ}) Set(case(x, {}, T)) set 

and therefore, using the definition of N, that the formation rule for the natural 
numbers can be proved. We can also see, by using the W-introduction rule, that 

sup(2ero, case) £ (Wx £ {zero, succ})Set(case(x, {}, T)) 

and hence, using the abbreviations, that the first N-introduction rule, 0 £ N, 
holds. The second introduction rule, succ(x) e N [x e N], corresponds to the 
judgement 

sup(s«cc, ( y)x ) £ (Wx £ {zero, succ}) Set(case(x, {}, T)) 

[x £ (Wx £ {zero, s«cc})Set(case(x, {}, T))] 

which also is proved directly from the W-introduction rule. 

Unfortunately the N-elimination rule and the N-equality rule can not be 
proved using the intensional equality in type theory. The reason for this is 
that there are more elements in the well-order representing the natural numbers 
than one expect at first. An element sup(o, b) of a well-order has a functional 
component b and the intensional equality means that two functions are equal 
only if they convert to each other. So the two functions 

(x) 0 and (x) 1 

which maps elements in the empty set to natural numbers are not equal even 
if they give the same result for all elements in the domain. The consequence 
of this for the representation of natural numbers is that there are elements in 
the well-order that do not represent any natural number. With an extensional 
equality this problem never occurs. 
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15.1 Representing inductively defined sets by 
well-orderings 

Most programming languages have some construction for defining types by in¬ 
ductive definitions. “Old” languages use pointers and records and “modern” 
languages use more sophisticated constructions, see for example [51] and [72]. 
In type theory the well-order set constructor can be used for representing many 
inductively defined sets. But as we remarked above, we must have an extensional 
equality in order to get the correct elimination and equality rules. 

We have shown above how one could represent binary trees and natural num¬ 
bers by well-orders. Let us also show how one can define an inductively defined 
set which uses another set in its definition. Consider the set of binary trees with 
natural numbers in its nodes and defined by the following ML definition 

datatype BinTree = leaf of N | node of N * BinTree * BinTree 

In order to represent this set by a well-order one must consider the natural 
number as part of the constructor of the tree and instead of having a two 
element set as the set of constructors, we now need N x N. The selectors for 
inl(n) is the empty set and for inr(n) the set { left, right}. So 

W(N + N, (a;)Set(when(a;, («){}, (n){leffright}))) 

is a well-ordering that represents the type of binary trees with natural numbers 
in its nodes. The elements are of the form 

sup(inl(n),case) and sup(inr(n), (x)case(x,t',t")) 

where n is a natural number and f and t" are two elements in \N(A, B). To get 
a better syntax, we can introduce three definitions: 

leaf'(n) = sup(inl(n), case) 

node (n,t! ,t!') = sup(inr(n), (x)case(x,t',t")) 

trec"(t,a,b ) = wrec(t, 

(y, z i u)when(y, a, ( n)b(n , 

z(left), 
z (right), 

u ( left ), u ( right )))) 

The function that adds all the numbers in a tree could in type theory be defined 
by 


addnum(x) 


tred'(x, ( n)n , (n, y, z, u , v)n + u + v) 

wrec(x, ( y , z, w)when(t/, (n)n, ( n)n + u(left) + u(right)) 
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Chapter 16 

General trees 


When we introduced the well-order set constructor in the previous chapter, we 
said that many inductively defined sets could be represented by well-orders and 
that the elements of a well-order could be seen as well-founded trees. The well- 
order set constructor, however, is not easy to use when we want to define a 
family of mutually dependent inductive sets, or mutually dependent families of 
trees. 

For example if we want to represent the types defined in ML by 

datatype Odd = sO of Even 
and Even = zeroE \ sE of Odd ; 

it is possible but quite complicated to do this by using well-orders. We therefore 
introduce a set constructor, Tree, which could be used for representing such sets 
in a more direct way. Notice that we must have an extensional equality to get 
the correct elimination and equality rule when we represent inductively defined 
types by well-orders and general trees. The set constructor for general trees was 
first introduced in [88] on which the following chapter is based. 

The constructor should produce a family of sets instead of one set as the 
well-order set constructor does. In order to do this, we introduce a name set, 
which is a set of names of the mutually defined sets in the inductive definition. 
A suitable choice of name set for the example above would be {Odd, Even}. 
Instead of having one set of constructors B and one index family C over B, as 
in the well-order case, we now have one constructor set and one selector family 
for each element in A. The constructors form a family of sets B, where B(x) 
is a set for each x in A and the selector family forms a family of sets C where 
C(x,y) is a set for each x in A and y in B{x). Furthermore, since the parts 
of a tree now may come from different sets, we introduce a function d which 
provides information about this; d(x, y, z) is an element of A if x £ A, y e B(x) 
and z G C{x,y). We call this element the component set name. 

The family of sets Tree(A, B, C, d) is a representation of the family of sets 
introduced by a collection of inductive definitions, for example an ML data type 
definition. It could also be seen as a solution to the equation 

T^(x)(Zy e B{x)){Uz e C(x,y))T(d(x,y,z)) 
where T is a family of sets over A and x € A. This equation could be interpreted 
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a possibly infinite collection of ordinary set equations, one for each a £ A. 

T( ai ) s (Ey£B{a 1 ))(Hz£C(a u y))T(d(a 1 ,y,z)) 

T(a 2 ) St (Ey£B(a 2 ))(Uz£C(a 2 ,y))T(d(a 2 ,y,z)) 


Or, if we want to express the tree set constructor as the least fixed point of a 
set function operator. 

Tr ee(A,B,C,d) Si F\X((T)(x)(Ey £ B(x))(n Z £ C(x,y))T(d(x,y,z))) 

Comparing this equation with the equation for the well-order set constructor 

W(B,C) = FIX((A’)(£$/ £ B)C(y) —» X) 

we can see that it is a generalization in that the non-dependent function set, 
has become a set of dependent functions, II. This is a natural general¬ 
ization since we are now defining a family of sets instead of just one set and 
every instance of the family could be defined in terms of every one of the other 
instances. It is the function d that expresses this relation. 

16.1 Formal rules 

In order to be able to formulate the rules for the set constructor for trees, we 
introduce the primitive constant Tree which has the arity 

0 ®( 0 —» 0 )®( 0 ® 0 —» 0 )®( 0 ® 0 ® 0 —» 0 )—» 0—»0 

tree of arity 0®(0—»0)—»0 and finally treerec of arity 

0 ®( 0 ®( 0 -^ 0 )®( 0 ^ 0 )^ 0)-^0 

The formation rule for the set of trees is: 

Tree - formation 

A set 

B(x) set [x £ A] 

C(x,y) set [x £ A, y £ B(x)] 

d(x, y, z) £ A [x £ A, y £ B(x), z £ C(x,y)] 

a £ A 

Tree(A, B,C,d)(a) set 

The different parts have the following intuitive meaning: 

• A, the name set, is a set of names for the mutually dependent sets. 

• B(x), the constructor set, is a set of names for the clauses defining the set 
x. 


• C(x,y), the selector family, is a set of names for selectors of the parts in 
the clause y in the definition of x. 
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• d(x,y,z), the component set name, is the name of the set corresponding 
to the selector z in clause y in the definition of x. 

• a determines a particular instance of the family of sets. 

Understood as a set of syntax-trees generated by a grammar, the different 
parts have the following intuitive meaning: 

• A is a set of non-terminals. 

• B(x ) is a set of names for the alternatives defining the non-terminal x. 

• C(x, y), is a set of names for positions in the sequence of non-terminals in 
the clause y in the definition of x. 

• d(x, y, z), is the name of the non-terminal corresponding to the position z 
in clause y in the definition of x. 

• a is the start symbol. 

In order to reduce the notational complexity, we will write T(a) instead of 
Tree(A, B, C, d)(a) in the rest of this chapter. 

The introduction rule for trees has the following form 
Tree - introduction 

a £ A 
b £ B(a) 

c(z)£T(d(a,b,z )) [z£C(a,b)} 
tree(a, b, c) £ T(a) 


Intuitively: 

• a is the name of one of the mutually dependent sets. 

• b is one of the constructors of the set a. 

• c is a function from C(a, b) to a tree. This function defines the different 
parts of the element. 

The element tree(a, b, c) in the set T(a) corresponds to the tree in figure 16.1, 
where C(a,b) = {zi,... ,z n ,.. .} and cfa) £ T(d(a,b,Zi)). 

The elimination rule has the form 
Tree - elimination 

D(x,t ) set [x £ A,t £ T (a:)] 
a £ A 
t £ T (a) 

f(x,y,z,u) £ D(x,tree(x,y,z)) 

[x £ A, y £ B(x), z(v) £ T(d(x,y,v)) [v £ C(x,y)], 

u(v) £ D(d(x,y,v), z(v)) [v £ C{x,y)}} _ 

treerec(t,/) £ D(a,t ) 

Its correctness follows from the computation rule for the non-canonical constant 
treerec which says that the expression treerecfd, e) is computed as follows 
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1. Evaluate d to canonical form. 

2. If the value of d is tree(a, b, c) then the value of the expression is e(a, b, c, (x)treerec(c(x), d)). 
The computation rule is also reflected in the equality rule: 

Tree-equality 

D(x,t) set [x G A,t G T(x)\ 
a £ A 
b G B(a) 

c(z) G T(d(a, b, z)) [z G C(a,b)] 
f(x, y , z, u) G D(x, tree(x, y, z)) 

[x G A,y G B(x),z(v) G T(d(x,y,v)) [u G C(x,y)\, 

_ u(v) € D(d(x,y,v),z(v)) [u G C{x,y)]] _ 

treerec(tree(a, b, c), /) = f(a,b,c, (x)treerec(c(x),/)) G D(a,tree(a, b, c)) 


16.2 Relation to the well-order set constructor 

A well-order set \N(B,C) can be seen as an instance of a Tree set. We get the 
well-orders by defining a family of trees on a set with only one element. If we 
make the definitions: 

\N(B,C) = Tr ee{T,(x)B,(x,y)C(y),(x,y,z)tt,tt) 

sup(6, c) = tree(tt,6,c) 
wrec (t,f) = treerec (t,(x,y,z,u)f(y,z,u)) 

where T is the set consisting of the element tt. Then we can derive the rules for 
well-orders from the rules for trees as follows: 

Formation rule: If we assume that the premises of the well-order formation 
rule hold, that is, if we assume 


B set 

C(y) set [y G B] 
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we can infer 


T set 

((x)B)(x) set [xeT] 

((x, y)C(y))(x, y) set [x £ T, y £ B] 

((x, y, z)tt)(x, y, z) £ T [x e T ,y £ B,z£ C(y)} 

tt e T 


and then, by the Tree-formation rule, get 

Tree(T, ( x)B , (x, y)C(y), (x, y, z) tt, tt) set 
which is the same as 


W(B, C) set 

and also the conclusion of the formation rule. So we have proved that 
the formation rule holds for the definition of well-orders in terms of 
trees. 


Introduction rule: Assume 
beB 

c(z)e\N{B,C) [z £ C(b)] 

From the last assumption we get 

c(z) £ Tree(T, (x)B, (x, y)C(y), (x, y, z) tt, tt) [* e C(b)} 

It then follows that 
tt € T 

b€((x)B)( tt) 

c(z) e Tree(T, (x)B,(x,y)C(y),(x,y,z)tt,((x,y,z)ti))(tt,b,z) 
[z £ ((x,y)C(y))(b)} 

and, from the Tree-introduction rule, 

tree(tt, b, c) e Tree(T, ( x)B , ( x,y)C(y ), ( x,y , 2:)tt,tt) 

which is the same as 

sup(6, c) e\N{B,C) 

The elimination and equality rules could be proved in the same way. 
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16.3 A variant of the tree set constructor 

We will in this section introduce a slight variant of the tree set constructor. 
Instead of having information in the element about what instance of the family 
a particular element belongs to, we move this information to the recursion op¬ 
erator. We call the new set constructor Tree', the new element constructor tree' 
and the new recursion operator treerec'. The formation rule for Tree 7 is exactly 
the same as for Tree, but the other rules are slightly modified. 

T ree'-introduction 

a g A 
b g B(a) 

c(z ) g Tree'(A, B, C, d , d(a, b, z)) [z g C(a , b)] 
tree'(6, c) g Tree'(A, B, C, d, a) 


T ree'-elimination 

D(x, t ) set [a; g A, t g Tree'(A, B, C, d, a;)] 
a g A 

t g Tree'(A, B, C, d, a) 
f(x, y, z, u) g D(x, tree'(y, z)) 

[x g A,y g B(x),z(v) g Tree'(A, B,C, d, d(x, y,v)) [v g C(x,y)\, 
u(v) g D(d(x, y, v),z(v)) [t> g C{x,y)}} 

treerec '(d,a,t,f) g D(a,t ) 

The formulation of the equality rule is straightforward. Notice that we in 
the first version of the tree sets can view the constructor tree as a family of 
constructors, one for each a g A. In this variant we have one constructor for 
the whole family, but instead we get a family of recursion operators, one for 
each a in A. 


16.4 Examples of different tree sets 

16.4.1 Even and odd numbers 

Consider the following data type definition in ML: 

datatype Odd = sO of Even 
and Even = zeroE \ sE of Odd ; 

and the corresponding grammar: 

<odd> ::= so(<even>) 

<even> ::= 0# | Ss(<odd>) 

If we want to define a set with elements corresponding to the phrases defined 
by this grammar (and if we consider <odd> as start symbol), we can define 




16.4. EXAMPLES OF DIFFERENT TREE SETS 


109 


OddNrs = Tree(A, B, C, d)(a) where: 

A = {Odd, Even } 


B(Odd) = {so} 

B(Even) = {zero E ,s E } 

i.e.B = (x)case {0ddEven} ( x , {so}, {zero E , s E }) 

C(Odd,so) = {pred 0 } 

C(Even,zero E ) = {} 

C{Even,s E ) = {pred E } 

i.e.C = {x,y)case { 0 ddEven} (x, 

{pred Q }, 

cas e {zer o B ,s E }(y, {}, {pred E })) 

d(0dd,so,pred o ) = Even 

d(Even,s E ,pred E ) = Odd 

i.e.d = ( x,y,z)case { 0 ddEven} (x, 

Even, 

Odd) 

The element s E (so(zero E )) is represented by 

2 e = tree(.E?;en, s E , (x)tree(Odd, so, (x)tr ee(Even, zero E , (a:)case{}(x))) 
and so(sb(so(0e))) is represented by 

3o = tree(Odd, so,(x) 2 e ) 

We get the set of even numbers by just changing the “start symbol” 

EvenNrs = Tr ee(A, B,C,d)(Even) 

and we can define a mapping from even or odd numbers to ordinary natural 
numbers by: 

tonat(w) = treerec(w, 

(x,V,z,u) case { 0 ddEven} (x, 

succ (u(pred 0 )), 
cas e {Z ero B ,s E }(y, 

0, 

succ (u(pred E ))))) 

and it is easy to prove that 

tonat(w) e N [u e {Odd, Even}, w e Tree(A, B, C, d)(u)] 
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16.4.2 An infinite family of sets 

In ML, and all other programming languages with some facility to define mu¬ 
tually inductive types, one can only introduce finitely many new data types. A 
family of sets in type theory, on the other hand, could range over infinite sets 
and the tree set constructor therefore could introduce families with infinitely 
many instances. In this section we will give an example where the name set is 
infinite. 

The problem is to define a set Array(A,ri), whose elements are lists with 
exactly n elements from the set A. If we make a generalization of ML’s data 
type construction to dependent types this type could be defined as: 

Array(E, 0) = empty 

Array(E,s(n)) = add of E x Array(E,n)) 


The corresponding definition with the tree set constructor is: 

Array(E,n ) = Tree^N, B, C, d)(ri) 


where 

B(n) 

C(n,x) 

d(n,x,y) 

We can then define: 


natrec(n, {nil}, ( x , y)E) 
natrec(n, {}, ( x , y){tail}) 
natrec(n, case{}(y), ( z,u)z ) 


empty = tree'(mZ, case{}) 
add(e,l ) = tree'(e, l) 


as the elements. Notice that we in this example have used the variant of the 
tree constructor we introduced in section 16.3. 




Part II 
Subsets 


ill 




Chapter IT 

Subsets in the basic set 
theory 


We will in this section add sets formed by comprehension directly to the basic 
set theory in a similar way as we have introduced the other primitive sets. As 
we already have mentioned, we will in this approach not be able to formulate a 
satisfactory elimination rule. 

Let A be a set and B a propositional function (family of sets) defined on 
the set A, i.e. assume A set and B{x) set [x £ A}. From these assumptions 
and the explanation of what it means to be a set, it follows that the canonical 
elements and their equality relation is understood for the set A and for the set 
B(a) whenever a £ A. 

The subset of A with respect to B is denoted 

miAB) 

where {|} is a constant of arity 0®(0—»0)—»0. Instead of {|}(A, B), we shall 
use the more lucid notation 


{x£A | B(x)} 

This set forming operation is defined, as all the other sets, by prescribing how 
to form canonical elements and how to form equal canonical elements: if a is a 
canonical element in the set A and B(a) is true, i.e. if there exists an element 
b £ B(a), then a is also a canonical element in the set [x £ A B(x)j. And if a 
and c are equal canonical elements in the set A and B(a ) is true, then a and c are 
also equal canonical elements in the set {x£A \ B(x)}. Since every propositional 
function is extensional in the sense that it yields equal propositions (sets) when 
it is applied to equal elements, it follows from a = c £ A and B(x) set [x £ A] 
that B(a) and B(c) are equal propositions (sets). And, consequently, from the 
requirement that B(a) is true, we immediately get that also B(c) is true. 

The introduction of the canonical elements makes sense precisely when A is 
a set and B(x) is a set under the assumption that x £ A. Hence, the formation 
rule for the subset becomes: 
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Subset - formation 


A set B(x) set [x £ A] 
{x£A | -B(x)} set 


For many sets, the prescription of how to form canonical elements and equal 
canonical elements immediately justifies the introduction rules, since the re¬ 
quirements for forming canonical elements can be expressed as premises of the 
introduction rules. The canonical elements of the subset, however, cannot jus¬ 
tify an introduction rule in this way, because the requirement that a should be 
a canonical element in A cannot be expressed as a premise. So we cannot form 
the introduction rule according to the general scheme. Instead, the introduction 
rule introduces expressions both of canonical and noncanonical form. From the 
explanation of the judgement a £ A, we know that a, when evaluated, will yield 
a canonical element in the set A as result. So if B(a) is true, we know that a 
will also yield a canonical element in the set {x£A \ B(x)}. The introduction 
rule becomes: 

Subset - introduction 1 


a £ A b£ B(a) 
a £ {x£A | B(x)} 


And similarly, if Gq = a 2 £ A, the evaluation of cq and a 2 will yield equal 
canonical elements in the set A as result and, therefore, if B(a i) is true, they 
will yield equal canonical elements in the set {x£ A 2 | B 2 (x)j. Since b £ B(a\) 
it follows from a\ = a 2 £ A and b £ B{a-\) that b £ B(a 2 ). This justifies the 
second introduction rule for subsets: 

Subset - introduction 2 


cq = a 2 £ A b £ -B(cq) 
Gq = a 2 £ {x £ A | B(x)} 


The subsets are different from all other sets in that the canonical and non¬ 
canonical forms of expressions depend only on the parameter set A. So from an 
element expression alone, it is impossible to determine the form of its set; it may 
belong to A as well as to a subset of A. But this cannot cause any confusion, 
since an element is always given together with its set. 

An elimination rule which captures the way we have introduced elements in 
a subset is impossible to give in type theory because when we have an element 
a in a subset {x £ A \ B(x)} we have no explicit construction of the proof 
element of B(a). The best formulation of an elimination rule we can give is the 
following: 
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Subset - elimination 1 

cG {x G A | -B(x)} d(x) G C(x) [x £ A, y G B(x)} 
d(c) € C{c) 

where y must not occur free in d nor in C 
Because of the syntactical restriction on free variables in the subset-elimination 
rule the strength of this rule is connected with the possibility of having rules in 
type theory where free variables, other than those discharged by the rule, may 
disappear in the conclusion. In our basic formulation of Martin-Lof’s set theory 
with the intensional identity Id, there are very few possibilities to get rid of free 
variables in an essential way. 

The strength of adding subsets to set theory with the elimination rule above 
is discussed in detail in [90] where it is shown that propositions of the form 

(Vz e {z e A | P(z)})P(x) (*) 

cannot in general be proved. In the intensional formulation we have of set 
theory, not even (Vx G {z G T | _L})T. can be derived. The proof in [90] of this 
is rather complicated, using a normalization argument. 

Propositions of the form (*) are important when modularizing program 
derivations, using a top-down approach and decomposing the specification into 
subproblems. When solving the subproblems we may want to use lemmas which 
have already been proved. The main idea of splitting up a problem into lemmas 
is, in program derivation as well as in mathematics, that our original problem 
can be reduced to the lemmas; in particular, there should be no need to look 
into the proofs of the lemmas. If we have a lemma which talks about subsets we 
certainly want (*) to be provable since if a G {x G A P{x)} we want to be able 
to conclude P(a) without having to investigate the proof of a G {x G A \ P{x)}. 

In set theory with the extensional equality Eq, there are more cases for which 
(*) can be proved. Let P(x) set [x G A]. The predicate P(x) is called stable if 

—<—<P(x) —> P(x) [x G A] 

Using strong Eq-elimination together with the universe, it is proved in [90] that 
(*) holds for all stable predicates, that is 

(V®eA)(-.-.P(a:) ->P(*)) -> (V* € {z G A | P(z)})P(x) 

holds in the extensional theory. Extending the basic extensional set theory with 
subset is discussed in detail in Salvesen [92]. 

It is also shown in [90] that if we put P(x) equal to 

( 3yGN)T(x,x,y) V -i(3yGN)T(x,x,y) 

where T is Kleene’s T-predicate, and put A equal to N, then (*) cannot be 
derived in Martin-Lof’s set theory extended with the above rules for subsets 
irrespectively of how we formulate the remaining rules; the only requirements 
are that the axiom of choice, as formulated in [69, 70], can be proved and that 
a typable term can be computed by a Turing machine. 

So the approach of this chapter to introduce subsets in the same way as the 
other sets and interpret proposition as sets results in a very weak elimination 
rule which, at least in the intensional theory, will not work in practice. 
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Chapter 18 


The subset theory 


In order to get an elimination rule by which we, for instance, can derive P(a) true 
from a € {xdA \ P(x)} we will now, following ideas of Martin-Lof, give a new 
meaning of the judgement A set. We then also have to give new explanations 
of the other forms of judgement. All judgements will be explained in terms of 
our previous explanations for set theory. We will call this new theory the subset 
theory and refer to the earlier set theory as the basic set theory or just set theory. 

The crucial difference between the basic set theory and the subset theory is 
that propositions will no longer be viewed as sets in the subset theory. However, 
the semantics of propositions in the subset theory will use propositions as sets 
in the basic set theory. So we must first extend our language by introducing 
primitive constants for the logical constants: &, V and 3 of arity 0®0—»0, _L 
of arity 0, V and 3 of arity 0®(0—»0)—»0. We also need a primitive constant ID 
of arity 0 ® 0 ® 0—»0 for forming the proposition that two elements of a certain 
set are equal. Instead of ID(A, o, b) we will often write a =a b. 

We will give detailed explanations of the judgements for a subset theory 
without universes. The intuition behind the semantics is that a set A in the 
subset theory consists of those elements a; in a base set A' in the basic set theory 
such that A"(x) holds, where A" is a propositional function on A' in the basic 
set theory. The situation with universes is somewhat more complicated and will 
be discussed later in the chapter. 


18.1 Judgements without assumptions 


As when we explained the meaning of the judgements of the basic set theory, 
we first explain the judgements not depending on any assumptions. 
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18.1.1 What does it mean to be a set? 

To know the judgement 

A set 

in the subset theory is to have a pair [A', A") where we know that 
A' is a set in the basic set theory and that A" is a propositional 
function on A' in the basic set theory. 

So in order to know that A is a set in the subset theory we must have A! and 
A" and know the judgements 

• A' set 

• A"{x) prop [x £ A'] 

in the way we already have explained in the basic set theory. Note that the 
judgement A"{x) prop [x £ A'] in the basic set theory is just an abbreviation 
of the judgement A!'(x) set [x £ A']. 

18.1.2 What does it mean for two sets to be equal? 

Let A and B be sets in the subset theory. According to the explanation of what 
it means to be a set in the subset theory, we then have sets A' and B' and 
propositional functions A" and B" on A' and B' , respectively. To know the 
judgement that A and B are equal sets in the subset theory is explained in the 
following way: 

To know that A and B are equal sets 
A = B 

in the sense of the subset theory, is to know that A' and B' are equal 
sets in the basic set theory and that A" (x) and B"(x) are equivalent 
propositions on A' in the sense of the basic set theory. 

So in order to know that A and B are equal, we must know the judgements 

• A! =B' 

• A"(x) <*=> B"(x) true [x £ A!] 

as explained in the basic set theory. Since propositions are interpreted as sets 
in the basic theory, the judgement A”(x) <*=> B"(x) true [x £ A'] means that we 
have an element in ( A!'(x ) —> B"{x)) x ( B"(x ) —> A"(x)) under the assumption 
x £ A'. 

18.1.3 What does it mean to be an element in a set? 

According to the explanation of the judgement A set in the subset theory, A 
consists of those elements x in A' such that A!'{x) holds: 

To know the judgement 

a £ A 

where A is a set in the sense of the subset theory, we must know 
that a is an element in A' and that A"(a) is true. 
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So in order to know that a is an element in the set A we must know the judge¬ 
ments 

• a £ A' 

• A" (a) true 

as explained in the basic set theory. Note that A" (a) true means that we have 
an element in the set A" (a). 

18.1.4 What does it mean for two elements to be equal in 
a set? 

If a £ A and b £ A then the explanation of equality between a and b is the 
following. 

To know that a and b are equal elements in a set A 


a = b £ A 

in the sense of the subset theory is to know the judgement 
a = be A' 


in the basic set theory. 

So that two elements are equal in a subset means that they must be equal 
elements in the base set of the subset. 

18.1.5 What does it mean to be a proposition? 

To know a proposition P in the subset theory is to know a proposi¬ 
tion P* in the basic set theory. 

Since P may contain quantifiers ranging over subsets, P* will depend on the 
interpretation of subsets. Since propositions are interpreted as sets in the basic 
set theory, P* is nothing but a set in the basic theory. 

18.1.6 What does it mean for a proposition to be true? 

To know that the proposition P is true in the subset theory is to 
know that P* is true in set theory. 

So a proposition P is true in the subset theory if we have an element in the set 
P* in the basic set theory. 

18.2 Hypothetical judgements 

The explanation of a judgement depending on assumptions is done, as in the 
basic set theory, by induction on the number of assumptions. Leaving out higher 
order assumptions, a member Ck in an arbitrary context C i,..., C n in the subset 
theory is either of the form Xk € A k (x i,... , Xk- 1) where A k (x i,..., Xk~ i) is a 
subset in the context Ci,..., Ck- 1 or of the form P{x\ ,. .., Xk) true where 
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P(x i,..., Xk) is a proposition in the context C\.... ,Ck~ i- In order to avoid 
heavy notation, we will explain hypothetical judgements in the subset theory in 
a context 

x £ C, P(x) true, y £ D(x) 

where C is a subset, P(x) a proposition in the context x £ C, and D(x) is a 
subset in the context x £ C, P(x) true. Given the explanations of the different 
forms of judgements in this context of length 3, it is straightforward to explain 
the judgements in an arbitrary context. 

18.2.1 What does it mean to be a set under assumptions? 

To know the judgement 

A{x, y) set [x £ C, P(x) true, y e D(x)] 
in the subset theory where we already know 
C set 

P{x) prop [x £ C\ 

D(x) set [x £ C, P(x) true] 

is to have a pair [A', A") such that 

A'(x,y) set [x £ C', y £ D'(x)] 

and 

A"(x,y,z) prop [x £ C', y £ D'{x), z £ A'(x,y)\ 
both hold in the basic set theory. 

When defining A! and A" it must be done in such a way that it does not come 
in conflict with the sets obtained from A by substitution. So we must require 
the following substitution property: 

A(a,b)' is equal to A'(a,b). 

A(a, b)" is equal to A"{a, b). 

Note that being a set under assumptions only depends on the base sets of the 
sets in the assumption list and in particular does not depend on any proposition 
being true. 

18.2.2 What does it mean for two sets to be equal under 
assumptions? 

To know the judgement 

A(x,y) = B(x,y) [x £ C, P(x) true, y £ D(x)\ 

in the subset theory, where A(x, y) and B(x, y) are sets in the context 
x £ C, P(x) true, y £ D(x), is to know the judgements 


A'(x,y) = B\x,y ) [x £ C', y£ D'{x)\ 
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and 

A"(x,y) <*=> B"(x,y) true [a; e C', C"{x) true, 

P*(x) true, y £ D'(x), D"(x,y) true] 

in the basic set theory. 

So that the base sets of the two equal sets are equal only depends on the base 
sets of the subsets in the assumption list. The equivalence of the propositional 
parts of the sets, however, may depend also on the propositional parts of the 
sets in the assumption list as well as on the truth of propositions. 

18.2.3 What does it mean to be an element in a set under 
assumptions? 

To know the judgement 

a(x,y) £ A(x,y) [x £ C, P(x) true, y £ D{x)\ 

in the subset theory, where A(x,y ) is a set in the context x £ 

C, P(x) true, y £ D(x), is to know the judgements 

a(x,y) £ A'(x,y) [x £ C', y £ D'(x)\ 

and 

A"(x,y,a(x,y)) true \x£C', C"{x) true, 

P*(x) true, y£D'(x), D"{x,y) true] 

in the basic set theory. 

Note that a(x, y) is an element in the base set of A(x, y) only depends on the 
base sets of the sets in the assumption list and in particular does not depend 
on any proposition being true. 

18.2.4 What does it mean for two elements to be equal in 
a set under assumptions? 

To know the judgement 

a(x,y) = b(x,y) £ A(x,y) [x £ C, P(x) true, y £ D(x)\ 

in the subset theory, where a(x, y) £ A(x, y) and b(x, y) £ A(x, y) in 
the context x £ C, P(x ) true, y £ D(x), is to know the judgement 

a(x, y) = b(x, y) £ A’{x, y) [x £ A', y £ B'{x)\ 

in the basic set theory. 

So that two elements are equal in a set under assumptions means that they 
must be equal already as elements in the base set, only depending on the base 
sets of the sets in the assumption list. 
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18.2.5 What does it mean to be a proposition under as¬ 
sumptions? 

To know the judgement 

Q(x, y) prop [x £ C, P(x) true, y £ -D(x)] 
in the subset theory is to know the judgement 

Q*(x,y) prop [a: £ C', y £ D'(x)\ 
in the basic set theory. 

We must also require the substitution property 

Q(a, b)* is equal to Q*(a, b) 

18.2.6 What does it mean for a proposition to be true 
under assumptions? 

To know the judgement 

Q{x,y) true [x £ C, P(x) true, y £ D(x)] 

in the subset theory, where Q{x,y) is a proposition in the context 
x £ C, P(x) true, y £ D(x), is to know the judgement 

Q*(x,y) true [x £ C', C"(x) true, 

P*(x) true, y£ D'(x), D"(x,y) true] 

in the basic set theory. 

18.3 General rules in the subset theory 

With the exception of the rule Proposition as set, all the general rules of the 
basic set theory also hold in the subset theory. Let us as an example justify the 
Set equality rule 

a £ A A = B 
oeB 

By the explanations of judgements of the form a £ A and A = B in the subset 
theory, we have to show that if the judgements a £ A', A"(a) true, A! = B’ and 
A"(x) <*=> B"(x) true [x £ A’] all hold in set theory, then a £ B' and B" (a) true 
also hold in set theory. That a £ B' holds follows from a £ A!, A! = B' and the 
Type equality rule in set theory. From A" {a) true and A"(x) —* B"(x) true [x £ 
A’} we get that B"(a) is true by substitution and —^-elimination. 

Since a proposition is interpreted as a set in the basic set theory, we did not 
introduce judgements of the forms P prop and P true in the formalization of 
set theory. For instance, an assumption of the form P true in set theory can be 
understood as an assumption y £ P where y is a new variable. In the subset 
theory, however, we must have judgements of the forms P prop and P true in 
the formal system and therefore we have to add general rules involving these 
two forms of judgement. 
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Assumption 

P prop 

P true [P true] 

By the explanation of what it means to be a proposition in the subset theory, 
we know that P* is a proposition, that is a set, in the basic set theory. Hence, 
by the assumption rule in set theory, we have y £ P* [y £ P*] which is the 
meaning of P true [P true]. 

The judgement 

C(x) prop [a: £ A] 

means that the judgement C*(x) set [x £ A'] holds in the basic set theory. By 
the rule Substitution in sets and the substitution property of C*{x) we therefore 
have the rule 

Substitution in propositions 

C(x) prop [x £ A\ a £ A 
C(a ) prop 


The rule 

Cut rule for propositions 

Q prop [P true) P true 
Q prop 

is justified in the following way. The judgement Q prop [P true] in the subset 
theory means that Q* set [y £ P*] in set theory and the judgement P true 
means that we have an element a in the set P*. By Substitution in sets we 
therefore get Q * set, that is, Q* prop as desired. 

In a similar way, we can justify the rules 
Cut rule for equal sets 


A = B [P true] 

P true 

A = B 


Cut rule for true propositions 


Q true [P true] 

P true 

Q true 


Cut rule for elements in sets 


a £ A [P true] 

P true 

a £ A 


Cut rule for equal elements in sets 


a = b £ A [P true] 

P true 


a = b £ A 
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18.4 The propositional constants in the subset 
theory 

Without a universe of propositions, which we will introduce later, the proposi¬ 
tional constants are the logical constants and the propositional equality. 

18.4.1 The logical constants 

Let P and Q be propositions in the subset theory. This means that we have 
propositions, that is sets, P* and Q* in the basic theory. Propositions built up 
from P and Q by the sentential connectives are given meaning in the following 
way: 

(Pk.QY is defined to be the proposition P* x Q*. 

(P V Q)* is defined to be the proposition P* + Q*. 

(.P D Q)* is defined to be the proposition P* —> Q*. 

The truth T and absurdity T are given meaning in a similar way: 

T* is defined to be the proposition T. 

_L* is defined to be the proposition 0. 

So a sentential constant is given meaning by the use of the same set forming 
constant as when interpreting proposition as sets. However, the situation is 
more complicated when we come to the quantifiers. 

Let A be a set and P a propositional function on A in the subset theory. We 
then have, according to the meaning of being a set and a propositional function 
on a set, a base set A' and propositional functions A" and P* defined on A' in 
the basic set theory. The propositions obtained from P by quantification on A 
are given meaning in the following way: 

The proposition ((VxgA)P(x))* is defined to be 

(HxeA')(A"(x)^P*(x)) 

The proposition ((3x€A)P(x))* is defined to be 

(ExeA')(A"(x) x P*(x)) 

It is now easy to justify the rules of first order logic as we have formulated 
them earlier. As an example, we justify the rules for the universal quantifier. 

V - formation 


A prop P(x) prop [x G A] 

(\/x€A)P(x) prop 

We must show that (nxG A')(A"(x) —> P*(x)) is a proposition, that is a set, in 
the basic set theory from the assumptions that we already know the judgements 
A' set, A"(x) prop [x G A'] and P*(x) prop [x G A'}. By -►-formation we 
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get A"{x) —> P*{x) set [x £ A'] which gives (JIx € A'){A" (x) —> P*(x)) set as 
desired. 

V - introduction 

P(x) true [x £ A] 

(Vx£A)P(x) true 

That we know the judgement P(x) true [x £ A] in the subset theory means 
that we know the judgement P*(x) true [x £ A', A"{x) true] in the basic set 
theory. So we have an expression 6 for which we know the judgement b(x) £ 
P*(x) [x £ A',y £ A"{x)\ in the basic set theory. By -►-introduction, we get 
A y.b(x) £ A"{x) —► P*(x) [x £ A'] which, by II-introduction, gives Xx.Xy.b(x) £ 
(II x£A')(A"(x) —► P*(x)). Hence, we know the judgement (n x£A')(A"(x) —► 
P*(x)) true as desired. 

V - elimination 1 

(Vx£A)P(x) true a £ A 
P(a) true 

Assume that we have expressions b and c for which we know the judgements 
b £ (n x£A'){A"(x) —► P*(x)), a £ A and c 6 A"(a) in the basic set theory. By 
n-elimination we get apply(6, a) £ A"(a) —► P*(a) and then, by -►-elimination, 
apply(apply(6, a), c) £ P*(a). So P*(a) is true in set theory as desired. 

18.4.2 The propositional equality 

Let A be a subset and a and b elements in A. Then the meaning of a =a b is 
given by 

The proposition (a =a b)* is defined to be Id (A', a, b). 

We have the following rules for the propositional equality: 

= - formation 

a £A b £ A 
a =a b prop 

= - introduction 

a = b £ A 
a =a b true 

= - elimination 

C(x) prop [x £ A] a =a b true C(a) true 
C(b) true 

We justify the elimination rule. The judgement a =a b true means that we 
have an element c in the set ld(A', a, b) and the judgement C(a) true means that 
we have an element d in the set C*(a) . Using Id-elimination on c € Id (A', a, b) 
and Xu.u £ C*(x ) —► C*(x) [x £ A] we get id peel (c, (x)Xu.u) £ C*(a) —► C*(b). 
Since d £ C*(a) we then obtain, by -►-elimination, 

apply(idpeel(c, (x)Xu.u),d) £ C*(b) 

So, C* (b ) is true in the basic set theory which is the meaning of the judgement 
(7(6) true in the subset theory. 
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18.5 Subsets formed by comprehension 

Sets in the subset theory are built up by the set forming operations we already 
have in the basic set theory and by set comprehension. The semantics of subsets 
introduced by comprehension is the following: 

{x G A | P(x)Y is defined to be the set A! and {x € A \ P(x)}" is 
defined to be the propositional function (z){A"(z) x P*(z)) on A'. 

The formation rule 

Subset - formation 

A set P(x) prop [x G A] 

{x G A | P(x)} set 

is justified in the following way. We assume that we know the interpretations of 
the premises, that is that we know the judgements A' set, A"(x) prop [x G A'] 
and P*(x) prop [x G A'] as explained in the basic set theory. Since {x G 
A | P(x)} r is defined to be A!, we get that {a: G A \ P(x)Y is a set. By x 
-introduction we get that A"(x) x P*(x) is a proposition when x G A'. 

It is also easy to justify the introduction rule: 

Subset - introduction 


a G A P(a) true 
ae{x eA \ P(x)} 

Now we obtain the desired elimination rules for comprehension. 

Subset - elimination for sets 

a G {x G A | P(x)} c(x) G C(x) [a; G A, P(x) true] 
c(a) G C(a) 

This rule is justified as follows. We assume that we already know the judgements 
a G A' 

A" (a) x P*(a) true 
c(x) G C'{x) [x G A'] 

C"(c(x)) true [x G A!, A!'(x) true, P*(x) true] 

in the basic set theory. From the first and third of these judgements we get, by 
substitution and the substitution property, that c(a) G C(a)'. By x-elimination, 
substitution and the substitution property we get from the first, second and 
fourth judgements that C(a) ,, (c(o)) true holds. In a similar way we can justify 
the rule 

Subset - elimination for propositions 

a G {x G A | P(a;)} Q(x) true [x G A, P{x) true] 

Q(a) true 

By putting Q(x) equal to P(x) in Subset-elimination for proposition we see 
that now we can derive P(a) true from a G {x G A \ P(x)} which in general is 
not possible in the basic theory. 
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18.6 The individual set formers in the subset 
theory 

For each set A obtained by any of the individual set formers we have to define 
the set A' and the propositional function A" on A 1 in the basic set theory. In 
general, the formation of a set is made in a context which we will not mention 
explicitly. In particular, the substitution property must be satisfied when we 
substitute terms for the variables in the context. Because of the inductive way 
the set is introduced, it is easy to see that the substitution property holds. 

To the rules for the individual sets in the basic theory, we will add rules for 
proving the truth of propositions by structural induction. These new rules will 
be called elimination rules for propositions. For the inductively defined sets we 
will also give equality rules which will reflect their interpretation in the basic 
set theory. 

18.6.1 Enumeration sets 

An enumeration set has the same elements in the subset theory as it has in the 
basic theory: 

{*i,... ,i n }' is defined to be the set {4, ... ,4} and (4, • • • ,in}" is 

defined to be the propositional function (z)T on {4.*„}. 

To the rules for enumeration sets in the basic theory we have to add the rule 
{fi,..., 4} - elimination for propositions 

a £ {4, • • • ,4} 

Q(x) prop [®€ {ii,..., 4}] 

Q(ii) true 


Q(i n ) true 

Q(a ) true 

This rule is justified in the following way. That the judgement Q(x) prop [x £ 
(4, • • •, 4}] holds in the subset theory means that Q*(x) set [x £ {4>..., 4}] 
holds in the basic theory since {4,---,4} / is {4, •••,4}- The judgement 
Q(ik) true means that we have an element bk in the set Q*(4)- Hence, we can 
use {4, • • •, 4}-elimination 1 to obtain case(a, 4,..., b n ) £ Q*(a). So Q*(a) 
is true in the basic set theory and, hence, Q(a ) is true in the subset theory as 
desired. 

The other rules for enumeration sets are also straightforward to justify. 

18.6.2 Equality sets 

The main purpose of the equality sets in the basic set theory is to reflect the 
judgemental equality to the propositional level. Since propositions are not inter¬ 
preted as sets in the subset theory, we have introduced equality as a primitive 
proposition, so there is really no need of equality sets in the subset theory. 
However, they can be given semantics in the subset theory: 

ld(A,a, b) 1 is defined to be the set Id (A',a,b) and Id (A,a,b)" is de¬ 
fined to be the propositional function {z)T on ld(A', a, b). 
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18.6.3 Natural numbers 

The natural numbers in the subset theory are, of course, the same as the natural 
numbers in the basic set theory: 

INI' is defined to be the set N and N" is defined to be the propositional 
function (z) T" on N. 

The rules for N are all easy to justify and as an example we justify the new 
N-elimination rule. 

N - elimination for propositions 

Q(x) prop [x £ N] 
ae N 
Q(0) true 

Q(succ(;r)) true [x £ N, Q(x) true] 

Q(a ) true 

For the justification of the rule, assume that we have expressions d and e and 
know the judgements a £ N, d £ Q*( 0) and e(x,y) £ Q*(succ(a;)) [x £ N, y £ 
Q*(a;)] as explained in the basic set theory. By the N-elimination rule in the 
basic set theory, we get natrec(a, d, e) £ Q*(a). So Q(a) is true in the subset 
theory as desired. 

18.6.4 Cartesian product of a family of sets 

An element / in a cartesian product of a family B of sets on a set A in the 
subset theory is an element in the cartesian product (II x£A')B'(x) in the basic 
theory, such that when it is applied on an element a in A 1 such that A"{a) is 
true, it gives an element in B'(a ) such that B"(a, apply(/, a)) is true: 

((lire A)B(x))' is defined to be the set (II x£A')B(x)' and 
((II x£A)B(x))" is defined to be the propositional function 

(z)((IIx£A')(A''(x) -> B(x)"(app\y(z,x)))) 

on the set (II x£A')B(x)'. 

The rule we have to add is 

II - elimination for propositions 

/ e (lire A)B(x) Q(A(y)) true [y(x) £ B(x) [x £ A]] 

Q(f ) ^ue 

In this rule we must use a higher order assumption, which we have not discussed 
for the subset theory. But we leave out the details of extending our semantics to 
judgements depending on higher order assumption. Note that the elimination 
rule for II involving apply cannot be used to obtain an induction principle for 
propositions over a II-type. 

We can also justify the equality rule 
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II-subset - equality 


A set 

B{x) set [x e A] 

P( x) prop [x e A] 

Q(x, y) prop [x e A, ye B(x)] 

(nxe{u e A | P(u)}){u e B(x) \ Q(x,v)} = 
{ze{HxeA)B{x) I (Vue ^4)(P(u) D Q(u, apply(z, a:)))} 
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18.6.5 Disjoint union of two sets 

The semantics of a disjoint union of two sets is the following: 

(. A + B)' is defined to be the set A' + B' and {A + B)" is defined to 
be the propositional function 

(z)((3x£A')(A"(x) x \A{A',z, in((a;))) if" 

(3 y£B'){B"{y) x \6{B',z,\m{y)))) 

on the set A! + B'. 

The elimination rule we have to add is 
H— elimination for propositions 

c£ A + B <3(inl(a;)) true [x £ A] Q(inr(y)) true [y £ B] 
Q(c) true 

We also have the equality rule 
+-subset - equality 

A set P(x) prop [x £ A] Q(y) prop [y £ B] 
e A I P(x)j + {y £ B I Q{y)} = 

{z £ A + B \(3x£A)(P(x) &z= a inl(rc)) V 
(3 y£B)(Q(y) kz= B inr(y))} 

18.6.6 Disjoint union of a family of sets 

The semantics of a disjoint union of a family of sets is given by: 

((Ea:e A)B{x))' is defined to be (Ea;e A')B'(x) and 
((Ea:e is defined to be the propositional function 

(z)(A"(fst(z)) x B(fst(z))"(snd(z))) 

on ( Ex£A')B'(x ). 

We have to add the rule 

£ - elimination for propositions 

c e £(A, B) Q({x, y)) true [x £ A, y £ B(x)] 

Q(c) true 

We can also justify the equality rule 
E-subset - equality 

A set 

B(x) set [x £ A] 

P(x) prop [x £ A] 

Q(x,y) prop [x £ A, y £ B(x)] 

(Ex£{u£A\ P(u)}){u £ B(x) I Q(x, v)} = 

{z £ (E x£A)B(x) | P(fst(z)) x Q(fst(z), snd(z))} 
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18.6.7 Lists 

Let A be a set in the subset theory. The base set List(T)' is then put equal to 
the set List(A') in the basic set theory. The propositional function List(A)" on 
List(A') must satisfy that List(A)"(nil) is true and, for a & A' and b e List(A'), 
that List(A)"(cons(a, b)) is true if A"(a) and List(^4)"(6) both are true. So 
List(A)" must be defined by a set valued recursion. The only way we can do 
this is by using the universe U and we then obtain the following semantics for 
List(A): 

List(A)' is defined to be the set List (A') and List(A") is defined to 
be the propositional function 

(z) (Set(listrec(2i, T,(x,y,u) (A"(x) x u)))) 

By the notation C we mean the code for the small set C. The code C can be 
defined by induction on the formation of the set C. 

The use of U when giving semantics to List(A) is not satisfactory since it 
cannot be extended to subsets involving a universe for subsets. We will discuss 
this problem in the section on the universe in the subset theory and suggest 
other ways of giving semantics to List (A). 

18.6.8 Well-orderings 

As for lists, we must use the universe when giving semantics for well-orderings: 

((\NxG A)B(x))' is defined to be the set (\NxgA')B'(x) and ((Wx€ 
A)B{x))" is defined to be the propositional function 

(z) (Set(wrec(,2, (x, y, u)(A^(x) x (fine B(®) / )(S(®) ,, (t>)^«(v)))))) 

18.7 Subsets with a universe 

We will now introduce a subset U reflecting the subsets introduced so far and a 
subset P reflecting the propositions we have introduced. We must then extend 
the syntax by adding constants 

&, V, "3", J_ 3, V and ID 

which code the propositional constants and a constant Prop for the function 
which decodes an element in P. 

We first give the rules and then indicate how an interpretation of the subset 
theory extended with U and P can be given in the basic set theory, using the 
universe U of the basic set theory. 

P - formation 

P prop 

P - introduction 1 

P&P QeP 


P&QeP 
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Prop - introduction 1 


PeP QeP 

Prop(P&Q) & (Prop(P)&Prop(Q)) 
P - introduction 2 


PeP QeP 
PvQ e p 


Prop - introduction 2 


PeP QeP 
Prop(PVQ) (Prop(P) V Prop(Q)) 

P - introduction 3 


PeP QeP 
PdQ e p 


Prop - introduction 3 

PeP QeP 
Prop (P'dQ) ^ (Prop(P) D Prop(Q)) 


P - introduction 4 

1 e P 


Prop - introduction 4 

Prop(P) <S=> J_ 

P - introduction 5 

A e U p(x) eP [ie Set(4)] 
V(A, P) e p 


Prop - introduction 5 

A e U P(x) eP [ie Set(A)] 
Prop(V(A, P)) <*=> (Va;eSet(^4))Prop(P(a;)) 

P - introduction 6 

A e U p(x) eP [ie Set(A)] 

§ (A,P) e p 


Prop - introduction 6 

A e U P(x) eP [xe Set(y4)] 
Prop(3(i4,P)) (3xeSet(^))Prop(P(a;)) 
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P - introduction 7 

A g U a € Set(i4) b € Set(A) 

ID(A, a, b) € P 

Prop - introduction 7 

A g U a g Set(i4) b € Set(A) 

fD(A,a,6) ID(i4,a,6) 

To the rules for U in the basic set theory, excluding the elimination rule, we 
must add rules reflecting subsets introduced by comprehension. 

U - introduction 9 

A g U P(x) € P [x g Set(-A)] 

(IKA^eU 

Set - introduction 9 

A e U P(x) € P [x £ Set (.A)] 

Set| §(A,P)) = {x e Set(^rofp{,-))} 

We will now indicate how the subset theory with U and P can be interpreted 
in the basic set theory. The interpretation of U will then reflect the interpreta¬ 
tion we already have given of the subset theory without a universe. This leads 
to the following definition of U / : 

IT = (£2/sU^SeXx') —> U) 

where U in the definiens is the universe in the basic set theory. U" is trivially 
defined by 

U" -i (XT 

In the interpretation of the subset theory without a universe, the elements of 
a set are interpreted by themselves. However, this is no longer possible when 
having a universe since an element in 1/ is a pair, reflecting that a set A in the 
subset theory is interpreted as a set A' in the basic set theory together with 
a propositional function A" on A'. So if a e U in the subset theory, then we 
cannot have a G U ; instead we must also interpret a as a pair, which we will 
denote by a'. 

The interpretation of Set is then given by 

Set(a) / = Set(Ma')) 

Set(a) ,, (X = Set(apply(snd(o / ), z)) 

Since propositions are interpreted as sets, the interpretation of P must reflect 
this: 


P' 

P"(z) 
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The interpretation of Prop is then given by 

Prop(a) / = Set(a') 

Prop(a)"(z) = T 

We must now also define the mapping ' on elements. For codes of sets formed 
by comprehension, we have 

{\}(a,by = {fst(a'),Xz.(app\y(snd(a'),z)M'(z)) 

The mapping ' is defined in a similar way for elements coding sets of the other 
forms, reflecting the interpretation of the corresponding set. The mapping ' will 
commute with all the constants for elements which are not codes in U. So, for 
instance, pair (a,b)' = pair (a',b'). 

When defining ' on codes for lists and well-orderings there is, however, a 
problem since the interpretation of these types is using the universe. One way 
of solving this problem would be to add an infinite sequence 

Ui,...,U„,... 

of universes so that when interpreting U n one could use U ra+ i. Another way, 
discussed in [102], would be to extend the basic set theory with the possibility 
of defining sets directly by recursion, not using the universe. Defining sets by 
induction on lists, we would have to extend the syntax with a new constant 
Listrec of arity 0®0®(0®0®0—»0)—»0 and add the rules 
Listrec - formation 

l e List(A) 

C set 

E(x,y,Z) set [x £ A, ye List(A), Z set] 

Listrec(Z, C, E) set 


Listrec - equality 1 

C set E(x,y,Z) set [x e A, ye List(A), Z set] 
Listrec(nil, C, E) = C 


Listrec - equality 2 

l e List(A) 

C set 

E(x,y,Z) set \x e A, ye List(A), Z set] 

Listrec(a.Z, C, E) = E(a, l, Listrec(J, C, E)) 

We can now give the semantics for lists in the subset theory without using 
a universe: 


List(T)' is defined to be the set List(A') and List(A)" is defined to be 
the propositional function (,z)((Listrec(2, T, (x, y, Z)(A"(x) x Z )))) 
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Chapter 19 

Types 


In the previous chapters, we have defined a collection of sets and set forming 
operations and presented proof rules for these sets. We have introduced the 
constants for each set and then presented the proof rules in a natural deduction 
style. Another way of introducing sets is to use the more primitive notion of 
type. Intuitively, a type is a collection of objects together with an equivalence 
relation. Examples of types are the type of sets, the type of elements in a set, 
the type of propositions, the type of set-valued functions over a given set, and 
the type of predicates over a given set. 

In this chapter we will describe a theory of types and show how it can be 
used to present a theory of sets. We will get possibilities of using variables 
ranging over sets and higher order objects. The possibility of abstracting over 
these kind of variables is essential for structuring big programs and proofs. It 
also gives possibilities to use more elegant formulations of the elimination rules 
for the II-set and the well-orderings. The theory of types can also be used as 
a logical framework [48] in which it is possible to formalize different logics. It 
can also be used as a theory of expressions where the types replaces the arities; 
hence, we will in this chapter not rely on the theory of expressions developed in 
chapter 3. 

If one looks in a text book on logic like, for instance, Kleene’s Introduction 
to Metamathematics, one hardly finds any completely formal derivations. In 
general, the derivations depend on metavariables ranging over formulas. For 
instance, in the formal derivation 


x = ykx = z 
x = ykx = z^>x = y 

we can replace the formulas x = y and x = z by arbitrary formulas A and B 
respectively thereby obtaining the schematic derivation 

AkB 

A 

which no longer is a formal derivation in predicate logic. 
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Most of the derivations in this book are also made under some general as¬ 
sumptions like “Let A be a set and B(x ) a family of sets over A”. When 
implementing type theory on a computer these kinds of assumptions have to 
be made formal. In the Nuprl-system [25] this is made by using universes; for 
instance the assumption 


“Let X be a set” 

is translated into the formal assumption 

leU 

However, this does not really capture the assumption that X is an arbitrary set, 
because U is only the set of small sets which has a fixed inductive definition. 
What we really want to assume is that X is an arbitrary set, that is, something 
satisfying the semantical requirements of being a set. In particular, X may in 
the future be interpreted as some set which we have not yet defined. It may 
also be interpreted as some set involving U and then it cannot be a small set. 

19.1 Types and objects 

We will now extend type theory so that assumptions like “X is a set” can be 
made. We will do that by introducing an even more basic concept than that of 
a set, namely the notion of type. Intuitively, a type is a collection of objects 
together with an equivalence relation. 

What does it mean that something is a type? To know that A is a type is to 
know what it means to be an object of the type, as well as what it means for two 
objects to be the same. The identity between objects must be an equivalence 
relation and it must be decidable. The requirement of decidability of identity 
comes from the general requirement of decidability of the new forms of judge¬ 
ments that we are introducing in this chapter. In these judgements everything 
is there which is needed to be convinced of them: They carry their own proof. 

As an example of a type, we will later define the type Set whose objects are 
monomorphic sets by explaining what it means to be a set as well as what it 
means for two sets to be the same. 

We will write 

A type 

for the judgement that A is a type. That a is an object of type A is written 
a : A 

and that a and b are the same object of type A will be written 
a=b: A 

and, finally, that two types A and B are identical will be written 
A=B 

What does it mean for two types to be the same? Two types are the same 
if an object of one type is also an object of the other type and identical objects 
of the one type are identical objects of the other type. 
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19.2 The types of sets and elements 

The type Set which contains (monomorphic) sets as objects is explained by 
explaining what a set is and when two sets are identical. To know a set A is 
to know how the canonical elements of A are formed and when two canonical 
elements are identical. Two sets are identical if a canonical element of one set 
is a canonical element of the other set and if two identical canonical elements 
in one set also are identical in the other set. 

Hence, we have the axiom 
Set formation 

Set type 

Notice that this explanation of what the type Set is, is totally open. We 
have not exhausted the possibilities of defining new sets. This is in contrast 
with the set U, whose canonical elements are codings of a fixed number of set 
constructing operations. A set is always an inductive structure, we know that 
a canonical element in it has been formed according to one of its introduction 
rules. 

If A is a set, then E1(A) is a type. It is the type whose objects are the 
elements of A. We know that a is an object in E1(A) if we know that the value 
of a is a canonical element of A. Two objects in E1(A) are identical if their 
values are identical canonical elements in A. So we have the rules 
El-formation 


A : Set A = B : Set 

E1(A) type E1(A) = E1(B) 


We will use the abbreviations 


A set = A : Set 
a € A = a: E1(A) 

i accordance with the earlier used notation. 


19.3 Families of types 

In much the same way as the notion of set is extended to families of sets, we 
will now introduce families of types. 

A context is a sequence 


Xi : Ai, X 2 ■ A 2 , ..., x n : A n 


such that 


• Ai is a type, 

• A 2 [x'i := ai] is a type for an arbitrary object a\ of type A-[, 
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• A n [x i := oi][®2 := 02] ■ ■ ■ [x n -\ := a n _i] is a type for arbitrary objects 
a\, <22, ... ,o„_i of types 

Ai, A 2 [xi:=Oi], ..., A„_i[xi := Oi][x 2 := o 2 ] ••• [x n - 2 := o n _ 2 ] 
respectively. 

That A is a family of types in the context 

£1 : Ai, x 2 : A 2 ,..., a: n : A n , 


which we formally write 

A type [xi : Ai,x 2 : A 2 , ... ,x n : A n ] 

means that 

A[x 1 := ai][x 2 := a 2 ] • • • [x„ := a„] is a type for arbitrary objects 
ai, a 2 , ..., a ra _i of types Ai, A 2 [xi := ai], ..., 

A n [x 1 := ai][x 2 := a 2 ] • • • [x n _i := a n _i] respectively. 


As for families of sets, we also require that A must be extensional in the context, 
that is, if 

ai = b\ : Ai, 

a 2 = & 2 : A 2 [;ei := ai], 


a„ = b n : A n [xi := ai][x 2 := o 2 ] • • • [a; n _i := o„_ 1] 
then it follows from 

A type [xi : Ai, ..., x n : A n ] 

that 

A[xi := ai] [x 2 := d 2 ] • • • [x n := d n ] = A[xi := 61] [x 2 := fe 2 ] • • • [x n := 6„] 

As an example, the two rules for El-formation express that E1(X) is a family 
of types over Set. 

The explanation of the remaining three forms of judgements: 

A = B 
a : A 
a = b : A 


in the context 

X\ : Ai, x 2 : A 2 , ..., x n : A n 
is done in a similar way as the first form 

A type [x\ : Ai, x 2 : A 2 , ..., x n : A n ] 


by reducing the explanation to the corresponding form with empty context by 
substituting appropriate closed expressions for the variables. 
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19.4 General rules 

Since the identity relation on a type is required to be an equivalence relation 
and since two types are identical if they have the same objects and identical 
objects of one of the types are also identical objects of the other, we have the 
following identity rules. 

Reflexivity 

a : A A type 

a = a : A A^A 

Symmetry 

a = b : A A = B 

b = a : A B = A 

Transitivity 

a = b : A b = c : A A = B B = C 

a = c:A A^C 

Type identity 

a: A A = B a = b : A A = B 

a : B a = b : B 

The explanations of families of types in a context of the form x : A directly 
give rules for substitution: 

Substitution in types 

C type [x : A] a : A C type [x : A] a = b : A 

C[x := a] type C[x := a] = C[x := b] 

Substitution in objects 

c : C [x : A] a : A c : C [x : A\ a = b : A 

, 4 ^a; = dt] Cfe = = j&J* 

Substitution in identical types 

B = C [x: A] a: A 
B[x := a] = C[x := a] 

Substitution in identical objects 

b = c : B [x : A] a : A 
b[x := a] = c[x := a] : B[x := a] 

These rules can in the same way as in chapter 5 be extended to general 
contexts of the form aq : A\ , ;r 2 : A 2 . ..., x n : A n where n simultaneous 
substitutions are made. 
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19.5 Assumptions 

Our main reason for introducing types is that we want the possibility to make 
assumptions of a more general form than x £ A, where A is a set. The assump¬ 
tions we can now make are of the form 

x : C 

where C is a type. To be more formal, we have the rule 
Assumption 

C type 
x:C [x:C] 

The premise C type in this rule may depend on a nonempty context, but as 
usual in natural deduction, we only explicitly show that part of the context 
which is changed by the rule. By using the axiom that Set is a type we can now 
make the assumption that X is an arbitrary set: 

Set type 

X : Set [X : Set} 

which, by the definition above, we can also write 

Set type 
X set [X set] 

Assumptions in set theory without types are always of the form 
xgA 

where A is a set and they can now be obtained as special cases of assumptions 
in the theory of types by the following derivation: 

A set 

E1(A ) type 
x : E1(A) [x : E1(A)] 

Using our notational conventions, we can write the conclusion of this derivation 
xgA [are A] 

Note that this derivation is not formal because of the occurrence of the metavari¬ 
able A, which denotes an arbitrary set. It is now possible to make the derivation 
completely formal by making an assumption of the form X set: 

Set type 

X : Set [X : Set] 

E1(X) type [X : Set] 
x : E1{X) [X : Set, x : E1{X)] 

We can also write the conclusion of the derivation more in the style of previous 
chapters: 


[X set, xeX] 
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19.6 Function types 

We have not yet defined enough types to turn an assumption like 
Let A be a set and B a family of sets over A 

into a formal assumption. To do this we need function types. If A is a type 
and B is a family of types for x : A then ( x : A)B is the type which contains 
functions from A to B as objects. All free occurrences of x in B become bound 
in (x : A)B. 

Fun formation 

A type B type [x : A] A 1 = A 2 Bi = B 2 [x : Ai\ 

(x : A)B type (x : Ax)Bx = (x : A 2 )B 2 

To define the type of functions (x : A)B we must explain what it means to 
be a function and when two functions are the same. To know that an object c 
is in the type ( x : A)B means that we know that when we apply it to an object 
a in A we get an object c(a ) in B[x := a] and that we get identical objects in 
B[x := a-\] when we apply it to identical objects ai and a 2 in A. Two objects 
Ci and c 2 in (x : A)B are identical if Ci(a) = c 2 (a) : B[x := a] for an arbitrary 
a in A. Hence, we have the following two rules 
Application 

c : (x : A)B a : A Ci = c 2 : (x : A)B a = b : A 

c(a ) : B[x := a] Ci(ai) = c 2 (a 2 ) : B[x := a] 

Functions can be formed by abstraction, if b : B [x : A] then {x)b is an 
object in ( x : A)B. All free occurences of x in b become bound in (x)b. 
Abstraction 

b : B [x: A] 

(x)b : (x : A)B 

The abstraction is explained by the ordinary /3-rule which defines what it means 
to apply an abstraction to an object in A. 

/3 - rule 

a: A b: B [x : A] 

((x)b)(a) = b[x:=a]:B[x := a] 

It is possible to justify the following rules: 

£ - rule 

b\ = b 2 : B [x : A] 

(®)6i = {x)b 2 : (x : A)B 

a - rule 

_ b:B [x: A] _ 

{x)b= ( y)(b[x := y\) : {x : A)B 
y must not occur free in b 

r] - rule 

c:(x: A)B 

{x){c{x)) = c : (x : . 1 
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x must not occur free in c 

In a context we will often write x £ A instead of x : E1(A) and y(x) £ 

B(x) [x £ A] instead of y : (x : El(A))El(B(x)). 

Example. Translating between hypothetical judgements and func¬ 
tions 

From the judgement 


a : A [x\ : A±, x 2 : A 2 , • • •, x n : A n ] 

we can derive, by repeated abstractions, 

(ah,, x n )a : (a?! : A^{x 2 : A 2 ) ■ ■ ■ ( x n : A n ) A 

We can go in the other direction by repeated applications of the rules Assump¬ 
tion and Application. 

Instead of 

(x : A)(y : B)C 

we will often write 

(x : A, y : B)C 

and, similarly, repeated application will be written /(a, 6) instead of /(a)(6) and 
repeated abstraction will be written (x,y)e instead of (x)(y)e. When B does 
not depend on the variable x, we will use the following definition: 

(A)B rn (x : A)B 

Example. Looking at a family of sets as an object of a type 

We can now formalize an assumption of the form “Let Y(x) be a family of sets 
over a set X” by the following derivation: 

By Set-formation we have 

Set type 

and, hence, we can use Assumption to obtain 

X : Set [X : Set] 

from which we get, by EJ-formation, 

E1(X) type [X : Set] 

We can now use Assumption to get 

x : E1(X) [X : Set, x : E1(X)] 

By applying Fun formation we get 


(* : E1(X )) Set type [X : Set] 
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The objects in the type (x : E1(X )) Set axe set-valued functions indexed by 
elements in X. We can now use Assumption to get 

Y :(x: El(X))Set [X : Set, Y : (x : El(X))Set] 

Hence, by Assumption and application, 

Y(x) : Set [X : Set, Y : (x : El(X))Set, x : E1(X )] 

Using our notational conventions, this may also be written 
Y(x) set [X set, Y(x) set[x € X], x € X] 
and we may read this 

Assume that Y(x) is a set under the assumptions that X is a set 
and x € X. 
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Chapter 20 

Defining sets in terms of 
types 


We will in this chapter, very briefly, describe the objects in the type Set, thereby 
illustrating how the theory of types can be used to formulate a theory of sets. 

We will introduce the different sets by defining constants of different types 
and asserting equalities between elements in the sets. The sets we get are 
different from the one previously presented. The major difference is that they 
are monomorphic, which means that all constants contain explicit information 
about which sets the rest of the arguments belong to. In the polymorphic 
set theory presented in the previous chapters, the constant apply, for example, 
takes two arguments, a function from A to B and an element in A. In the 
monomorphic version, apply will take four arguments. First the two sets, A and 
B, then the function in A —> B, and finally the element in A. One advantage 
with a monomorphic version is that all important information about the validity 
of a judgement is contained in the judgement itself. Given a judgement, it is 
possible to reconstruct a derivation of the judgement. The disadvantage, of 
course, is that programs will contain a lot of information which is irrelevant for 
the computation. 

Another difference between the two type theory versions is that all functional 
constants introduced in this chapter are curried and written in prefix form. The 
reason is that we did only introduce a function type in the chapter about types. 
The selectors also take their arguments in a different order. 

We may define a stripping function on the expressions in the monomorphic 
theory which takes away the set information and we would then obtain expres¬ 
sions of the polymorphic theory. A derivation in the monomorphic theory is, 
after the stripping, a correct derivation in the polymorphic theory; this can easily 
be shown by induction on the length of a derivation in the monomorphic theory 
since each rule in the monomorphic theory becomes a rule in the polymorphic 
theory after stripping. Nevertheless, the polymorphic theory is fundamentally 
different from the monomorphic theory; in Salvesen [91] it is shown that there 
are derivable judgements in the polymorphic theory which cannot come from 
any derivable judgement in the monomorphic theory by stripping. 

If we declare the constants for the extensional equality Eq in the theory of 
types, we will not be able to derive the strong Eq-elimination rule. So this 
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equality does not fit into the monomorphic theory of sets. 

20.1 II sets 

The notation ( A)B is used instead of (x : A)B whenever B does not contain 
any free occurrences of x. We will write (x\ : A- t ...., x n : A n )B instead of 
(; x\ : A\)... (x n : A n )B and b(a \,..., a n ) instead of b(ai) ... (a n ) in order to 
increase the readability. 

The II-sets are introduced by introducing the following constants, 

n : (X :Set, (El (X))Set) Set 

A : (X:Set,Y:(El(X))Set,(x:El(X))El(Y(x))) 

El(n(X,Y)) 

apply : (X:Set,Y:(El(X))Set,El(II(X, Y)) ,x:El(X)) 

El (Y(x)) 

and asserting the equality: 

apply(A, B, X(A, B, b),a) = b(a) : El ( B(a )) 

where 


A : Set 
B : (El(A)) Set 
a : El (A) 

b : (x:El(A))El(B(x)) 

An alternative notation for the function type is x: A—&B. The type of the 
constants for II is then written as follows: 

n : X:Set-&(El(X)-f>Set)-&Set 

A : X:Set-&(Y:El(X)-&Set)-$> 

(x:El(X) -&>El(Y(x)))-S> 

E1(U(X , Y)) 

apply : X:Set-&(Y:El(X) -t>Set)-t> 

(El(II(X,Y)))-o 
(x :EI(X))-> 

El(Y(x )) 

We get the ordinary function set by asserting the equality 

A—>B = n(A, (x)B)) : Set [A:Set,B:Set] 


In a more conventional formulation the typing of the constants correspond to 
the following derivable inference rules (compare with the formation, introduction 
and elimination rules in chapter 7): 

X : Set Y(x) : Set [x : E1(X)} 
n(X, Y) : Set 





20.2. £ SETS 


149 


X:Set Y(x):Set [x : E1(X)] b(x) : El(V(x)) [x : E1(X)] 
X(X,Y,b) :E1(H(X,Y)) 


X : Set Y[x) : Set [x : El (X)] c : El (II(X, Y)) a: El (X) 
apply (X,Y,c,a) : El(Y(a)) 

and the equality corresponds to the rule (compare with the equality rule) 
X : Set 

Y{x) : Set [x : E1(X)] 
b(x) :El(Y(x)) [x : El (X)] 

a:El(X) _ 

apptyiX, Y, a) ~E(a) El(Y(p.)) 


20.2 E sets 

We get the £ sets by declaring the constants: 

£ : (X-.Set, (El (X)) Set) Set 

pair : (X:Set,Y:(El(X))Set,x:El(X) ,El(Y(x))) E1(E(X,Y)) 
split : (X: Set, Y: (El (X))Set, Z: (El (£(X, Y)))Set, 

(x: El (X), y: El ( Y(x)))El (Z( pair(X, Y,x,y))), 
w:El(E(X,Y ))) 

El(Z(w)) 

and asserting the equality: 

split(A, B, C, d, pair {A, B, a, b )) = d(a, b) : El (C(pair(i4, B, a, b))) 

where 

A : Set 
B : (El (A)) Set 
C : ( El(E(A,B)))Set 

d : (x:El(A),y:El(B(x)))El(C(pah(A,B,a,b))) 

a : El (A) 
b : El (B(a)) 

The usual cartesian product is defined by 

A x B = S(A, (x)B) : Set [A : Set, B : Set] 
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20.3 Disjoint union 

The disjoint unions are introduced by declaring the constants: 

4* : (Set, Set) Set 
ini : (X:Set,y:Set,El(X))+(X,F) 
inr : (X:Set, Y: Set, El (Y)) +(X,Y) 
when : (X: Set, Y: Set, Z: (El (-+(X, Y)))Set, 
(x:El(X))El(Z(in\(X,Y,x))), 
(y:El(Y))El(Z(\m(X,Y,y))), 
z:El(+(X,Y ))) 

El(Z(z)) 

and the equalities 

when(A, B, C, d, e, inl(A, B, a)) = d(a) : El ^(in^A, B, a))) 
when(A, B, C, d, e, inr(A, B,b)) = e(b) : El (C(\nr(A, B, &))) 

where 

A : Set 
B : Set 

C : (El (+(A, B))) Set 
d : (x:El(A))El(C(\n\(A,B,x))) 

e : (y:El(B))El(C(\m(A,B,y))) 

a : El (A) 
b : E1(B ) 

20.4 Equality sets 

The equality sets are introduced by declaring the constants: 

Id : (X-.Set, El (X), El (X)) Set 
id : (X:Set,x:El(X))ld(X,a;,x) 
idpeel : (X: Set, x: El (X) ,y:El(X), 

Z: (x: El (X),y: El (X), El (\d(X,x,y))) Set, 
(z:El(X))El(Z(z,z,\d(X,z))), 
u:El(\d(X,x,y))) 
m(Z(x,y,u )) 

and the equality 

idpeel(A, a, b, C, d, id (A, a)) = d(a) : El (C(a, a, id(A, a))) 

where 

A : Set 
a : El (A) 
b : El (A) 

C : (x:El(A) ,y:El(A) ,El(\d(A,x,y))) Set 
d : (x:El(A))El(C(x,x,\d(A,x))) 
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20.5 Finite sets 

We introduce the empty set and the one element set as examples of finite sets. 
The empty set is introduced by declaring the constants: 

{} : Set 

case {} : ((Z: El ({}))Set, a: El ({})) El (Z(x)) 

The one element set is introduced by declaring the constants: 


T 

Set 

tt 

El( T)) 

casej 

(Z: (El (T ))Set, El (Z( tt)) ,x:El (T)) El (Z(x)) 

and the equality 

case T (C', b, tt) = 6(tt) : E1(C( tt)) 


where C : (El (T)) Set and b : E1(C( tt)). 


20.6 Natural numbers 


The set of natural numbers is introduced by declaring the constants: 


N 

Set 

0 

El (N) 

succ 

(El (N)) El (N) 

natrec 

(Z: (El (N)) Set, 

and the equalities 

mm), 

(x:El( N), El (Z(x))) El (Z(succ(x))), 
n:EJ(N)) 

mm) 


natrec (C,d,e,0) =d:El(C( 0)) 

natrec(C, d, e,succ(a)) = e(a, natrec(C, d, e, a)) : EJ((7(succ(a))) 


where 

C 

(x:El (N)) Set 


d 

E1(C( 0)) 


e 

(x: El (N), El (C(x))) El (C(succ(x))) 


a 

El (N) 
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20.7 Lists 

Lists are introduced by declaring the constants: 

List : (Set) Set 
nil : (X: Set) El (List(X)) 
cons : (X: Set, El (X), El (List(X))) El (List(X)) 
listrec : (X: Set, Z: (El (List(X))) Set, 

E1(Z( niipQ)), 

(x ■■El(X),y: El (List(X)), El (Z(x))) El (Z( cons(X, x,y))), 
u:El( List(X))) 

El(Z(u )) 

and the equalities 

listrec(^4, C, d, e, nil(^l)) = d:El ((7(nil(^))) 
listrec(^4, C, d, e, cons(A, a, b)) = e(a, b, listrec(A, C, d, e, b)) 

: El (C(cons(A, a, b))) 


A : Set 

C : (x: El (L\st(A))) Set 
d : El(C(n\\(A))) 

e : (x:El(X),y:El (List(A)) El (C(y))) El (C(cons(A, x,y))) 
a : E1(X) 
b : El (List(X)) 
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Some small examples 

21.1 Division by 2 

In this example we give a derivation of the proposition 

(By € N)(x =|\| y * 2) V (x = N y * 2 ® 1) [x € N] (21.1) 

and then by interpreting propositions as sets show how to obtain a program 
which for each natural number n computes the integral part of n/2. In this 
chapter we are using the infix symbol ® for addition between natural numbers. 
We prove (21.1) by induction on x. 

Base: By definition of * we have 

0 = N 0*2 

from which we get, by V -introduction and 3-introduction, 

(By e N)((0 = N y * 2) V (0 = N y * 2 ® 1)) 

Induction step: We want to prove 

(By e N)((x ® 1 = N y * 2) V (x ® 1 = N y * 2 ® 1)) 
from the assumptions 

xeN, (By e N)((x= n y*2)V(x= N y*2®l)) (21.2) 

We will use 3-elimination on (21.2) and therefore assume 

y& N, x =|\| y * 2 V x =|\| y * 2 ® 1 (21.3) 

There are two cases corresponding to the two disjuncts in (21.3): 

(i) Assume 

x = N y * 2 (21-4) 

By substitution we get 

x®l= N y*2®l 
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and by V -introduction we then get 

(x © 1 = N y * 2) v (x © 1 =N y * 2 © 1) 

Hence, by 3-introduction, 

(By € N)((* © 1 = N y * 2) V (x © 1 = N y * 2 © 1)) (21.5) 
(ii) Assume 

x =|\| y* 2 ® 1 (21-6) 

By elementary arithmetic we get 

* © 1 =N (y ® !) * 2 
and by V -introduction we then get 

(x © 1 = N (y © 1) * 2) V (x © 1 = N (y © 1) * 2 © 1) 
Hence, by 3-introduction, 

(By e N)((* © 1 = N y * 2) V (x © 1 = N y * 2 © 1)) (21.7) 

Since we have derived (21.5) from (21.4) and (21.7) from (21.6) we 
can use V -elimination to obtain 

(By e N)(x © 1 = N y * 2) V (x © 1 = N y * 2 © 1) (21.8) 

thereby discharging the assumptions (21.4) and (21.6). The proposi¬ 
tion (21.8) depends on the assumption list (21.3) which we discharge 
by using 3-elimination and thereby (21.1) is proved. 

We will now translate this derivation using the interpretation of propositions 
as sets. Viewed as a set, the truth of the proposition 

(By e N)((a; = N y * 2) V (a; = N y * 2 © 1)) [a; 6 N] 

means that we know how to construct an element in the corresponding set; that 
is, we know how to construct an expression such that when we substitute a 
natural number n for x we get a natural number to such that 

(n = N m * 2) V (n = N to * 2 © 1) 

So, the constructed element will give us a method for computing the integral 
part of n/2. 

There are two possibilities when interpreting the existential quantifier in 
type theory: either to use the £ set or to use a subset. Since we are interested 
in the program that computes the integral part of n/2 and not in the proof 
element of 

(n = N to * 2) V (n = N to * 2 © 1) 

it is natural to use a subset, that is to interpret the proposition by the set 


{y € N | (i= N y*2)V(i= N y*2©l)}[ieJV] 


(21.9) 
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However, using the subset it is not possible to directly translate the proof above 
to type theory because subset-elimination is not strong enough to interpret jp? 
elimination. So we will instead use the E set when translating the proof. We 
will then get an element in the set 

('Ey G N)((a; = N y * 2) + {x = N y * 2 © 1)) [x G N] 

and by applying the projection fst on this element we will get a program satis¬ 
fying (21.9). 

Our proof of 

(3 y G N)((ar = N y * 2) V (a: =n y * 2 © 1)) [a; G N] 
was by induction, so we will construct an element of the set 

(Ey G N)((* = N y * 2) + (x = N y * 2 © 1)) [a G N] (21.10) 

by N-elimination, remembering that induction corresponds to N-elimination in 
type theory. 

Base: By N-equality and Id-introduction we have 
id(0) G (0 = N 0*2) 

So, by +-introduction and ^-introduction, we get 

(0, inl(id(0))> G {Ey G N)((0 = N y * 2) + (0 = N y * 2 © 1)) 


Recursion step: We want to construct an element in the set 

{Ey G N)((s © 1 = N y * 2) + (x © 1 = N y * 2 © 1)) 
from the assumptions 

IGN, Z1 G {Ey G N)((a = N V * 2) + {x = N y * 2 © 1)) (21.11) 

We will use £-elimination on (21.11) and therefore assume 

y G N, *2 G ((a = N y * 2) + {x = N y * 2 © 1)) (21.12) 

There are two cases: 

(i) Assume 


z 3 €{x= N y*2) (21.13) 

Substitution in the propositional function ld(N,x © l,z © 
1) [z G N] gives 

subst{z 3 , id(ar © 1)) G (a; © 1 =n y* 2 © 1) 
and by ©-introduction we then get 

\r\r{subst{z 3 , id(a;©l))) G (a;©l =|\| y*2)+{x®\ =|\| y*2©l) 
Hence, by E-introduction, 

(y, \nr{subst{z 3 , id(ar © 1)))) 

G {Ey gN)((i® 1 = N y* 2)+{x © 1 = N y * 2 © 1)) 

(21.14) 
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(ii) Assume 

z 4 e (®= N y*2©l) (21.15) 

By elementary arithmetic we get a construction 
c(x, y, z 4 ) e (a: © 1 = N (y © 1) * 2) 
and by +-introduction we then get 

\n\{c{x,y,Zi)) e (ar® 1 (y©l)*2+a;©l =|\| (y©l)*2©l) 

Hence, by E-introduction, 

(y ® 1, inl(c(x, y, z 4 ))) 

e (Ey 6 N)((® ® 1 = N y * 2)+{x © 1 = N y * 2 © 1)) 

(21.16) 

Since we have a derived (21.14) from (21.13) and (21.16) from (21.15) 
we can use +-elimination to obtain 

when(z2, 

{z 3 )(y,\nr(subst(z 3 ,\d(x®l)))}, , . 

(z 4 )(y®l,\n\(c(x,y,z 4 )m) ^ U) 

e (Ey € N)((je © 1 = N y * 2)+(x © 1 = N y * 2 © 1)) 

thereby discharging assumptions (21.13) and (21.15). (21.16) de¬ 

pends on the assumption (21.12) which we can discharge by using 
E-elimination: 

split(^i, 

(y, -22)when(,Z2, 

{z 3 )(y, \nr(subst(z 3 , id (a: © 1)))), 

{z 4 ){y © 1, inl(c(x, y, 24))))))) 
e (Ey € N)((® © 1 = N y * 2)+(x © 1 = N y * 2 © 1)) 

Now we can use N-elimination to obtain 


natrec(x, 

(0, inl(id(0))), 

(#f«i)split(^i, 

(y, 2 2 )when(22, 

{z 3 )(y, \nr(subst(z 3 , id(x © 1)))), 
{z 4 ){y® l,inl(c(aj,y, 2 4 ))))))) 
e (Ey e N)((x = N y * 2)+(x = N y * 2 © 1)) 

[zeN] 

(21.18) 


Defining half-proof by 


half.proof = 

Ax.natrec(a;, 

(0, inl(id(0)», 

(x.Zi)spllt(^l. 

(y,z 2 )when(z 2 , 

{z 3 )(y, \nr(subst(z 3 , id (a; © 1)))), 
{z 4 )(y ® l,\n\(c(x,y, z 4 )))))) 
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and half by 

half(x ) = fst(half-proof ■ x ) 

we get, by applying E-elimination twice and then using subset intro¬ 
duction, 

half(x) e{j/S N|(x = N y* 2) + (x = N y * 2 © 1)} [a; G N] 

Note that we in this type theory derivation not only have constructed the 
program half but also simultaneously have given an almost formal proof that the 
program satisfies the specification, that is that half(n) computes the integral 
part of n/2 for each natural number n. 

In the proof there was a proof of a trivial arithmetic equation which we 
did not carry out. Note, however, that this proof element is never used in the 
computation of the program half. 

Since the program was constructed from a derivation using logic, there occur 
parts in the program which one normally would not use when constructing the 
program in a traditional way. For instance, the when-part of the program comes 
from an application, in the induction step, of V -elimination where one is using 
the induction hypothesis which tells you that a number is either even or odd. 
Thinking operationally, one would here probably have used some construction 
involving if then else . 

21.2 Even or odd 

By using the previous example and a proof of 

((3® € A)(P(x) V Q(x))) D ((3a G A)P(x) V (3a 4 A)Q[x)) (21.19) 

we will derive a program even(n) in the set Bool which has value true if the 
natural number n is even and false if n is odd. 

This can be proved in the following bottom-up way: By 3-introduction and 
V -introduction we get 

(3a G A)P(x) V (3a € A)Q(x) [x € A, P(x)J 

and 

(3a G A)P(x) V (3a G A)Q(x) [x G A, Q(a)] 

Now we can use V -elimination to get 

(3a G A)P(x) V (3a G A)Q(x) [a € A, P(x) V Q(a)] 

Finally, by 3-elimination and D-introduction we obtain (21.19). 

Translating this proof, using propositions as sets, gives the following deriva¬ 
tion. By E -introduction and + -introduction we get 

inlfta, u)) € (Ex G A)P(x) + (Ex G A)Q(x) [x G A, u G P(x)] 


and 


inr((x,n)) G (Ex G A)Q(x) + (Ex G A)Q(x) [x G A, v G Q(x)\ 
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We can now use + -elimination to get 

when(y, (u)inl({x, u}), (u)inr((x, u))) £ 

{Ex £ A)P[x) + (Ex £ A)Q{x) [x £ A, y £ P{x) + Q{x)) 

By E -elimination we obtain 

split(z, (x,y)when(y, («)inl((x, u)), (u)inr((x, v))) 

£ (Ex £ A)P{x) + (Ex £ A)Q(x) 

under the assumption that z £ (Ex £ A){P{x)+Q{x)). We can now use —>- 
introduction to obtain 

distr & (Ex £ A)(P(x)+Q(x)) —»■ (Ex £ A)P{x) + (Ex £ A)Q(x) 

where 

distr = split(z, (x,y)when(y, («)inl((x,«)), (u)inr((x, v))) 

In the previous example we have derived a program half-proof in the set 
(IIx £ N)(Ey £ N)((x = N y * 2)+(x = N y * 2 © 1)) 

Hence, by putting 


P{y) = (x= N y* 2) 

Q{y) = (x= N y*2©l) 

Even{x ) = (Ey £ N)(x = N y * 2) 

Odd{x) = (Ey £ N)(x= n y*2©l) 

we get, by ^-elimination, 

distr ■ ( half-proof ■ x) £ Even{x ) + Odd{x) 

Defining everi-or-odd by 

even-or-odd{n) = distr■ {half-proof ■ x) 

we have that everi-or-odd{n) has a value whose outermost form is ini if and only 
if n is even. So we can now define even by 

even{n) = when(exen_or_odd(n), (w)true, (n)false) 

and by + -elimination we have 

even{n) £ Bool [n £ N] 

Clearly, even(n) has value true if n is even and value false if n is odd. 

21.3 Bool has only the elements true and false 

We prove the proposition 


{{3b £ Bool)P(6)) D (P(true) V P(false)) 
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by showing that the set 

((Eft € Bool)P(6)) (P(true) + P(false)) 


is inhabited. 

We start the derivation by assuming 

we(Ebe Bool )P(b) (21.1) 

and then look for an element in the set 

P(true) + P(false) 

We continue by making two more assumptions 

wi £ Bool (21-2) 

w 2 e P(wi) (21.3) 

Unfortunately, there is now not a straightforward way to get an element in the 
set P(true) + P(false) from the assumptions we have introduced. Instead we 
must first derive an element in the set 

P(ioi) -> (P(true) + P(false)) 

by case analysis on w\ and then apply this element on W 2 to get an element in 
the set 

P(true) + P (false) 

We use +-introduction and -►-introduction on the assumption 


q € P(true) 


to get 

A(inl) e P(true) D (P(true)+P(false)) 

In the same way we also get 

A(inr) e P(false) D (P(true)+P(false)) 

By applying Bool-elimination on (21.2), (21.4) and (21.5), we get 

if wi then A(inl) else A(inr) 

€ P(wi) — (P(true)+P(false)) 

Then -►-elimination, applied on (21.3) and (21.6), gives 

apply(if wi then A(inl) else A(inr),«;2) 
e P(true)+P(false) 


(21.4) 

(21.5) 


( 21 . 6 ) 


(21.7) 


Now we can apply the 3-elimination rule on (21.1) and (21.7) and thereby 
discharging assumption (21.2) and (21.3): 


split(w, 

(twi, w 2 )apply(if w\ then A(inl) else A(inr), 

w 2 )) 


( 21 . 8 ) 


e P(true)+P(false) 
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Finally, by —^-introduction, we discharge (21.1) and get 

Au).split(«;, (21-9) 

(wi, W2)apply(if w\ then A(inl) else A(inr), 

w 2 )) 

G P(true)+P(false) 

In essentially the same way we can prove the propositions: 

(3® € N)P(a) D (P(0) V (By G N)P(succ(|/))) 

(3® G List(A))P(x) D (P(nil) V (By G A)(Bz G List(A))P(cons(a;, y))) 
(BxgA + B)P(x) D ((By G A)P(in\(y)) V (3* € B)P(inr(*))) 

(BxgAx B)P(x) D (By G A)(Bz G B)P((y, z)) 

21.4 Decidable predicates 

The disjoint union can be used to express that a predicate (propositional func¬ 
tion) is decidable. Consider the set B(x) set [x G A], To say that B is decidable 
means that there is a mechanical procedure which for an arbitrary element a G A 
decides if B(a) is true or if it is false. In order to formally express that a predi¬ 
cate B is decidable for elements from A, one can use the disjoint union. If the 
set 

Decidable(A, B) = (II xgA)B(x)V~>B(x) 

is nonempty, then B is decidable and an element in the set is a decision procedure 
for the predicate. 

As an example of a decidable predicate and a decision procedure, we will 
show that there is an element in the set Decidable(N, (n)ld(N, 0, n)), thereby 
getting a decision procedure that decides if a natural number is equal to zero. 
We start the derivation by assuming 


nG N 

We then proceed to find an element in the set 

ld(N, 0,n) V —<ld(N, 0, n) 


by induction on n. 

The base case: By N-introduction, Id-introduction and V -introduction, we 
get 

inl(id(0)) e ld(N,0,0) V-.ld(N,0,0) 

The induction step: We first introduce the induction assumptions 
x G N 

yG ld(N, 0, ®) V —>ld(N, 0, x) 
and then continue with the assumption 


G ld(N, 0, succ(®)) 
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By the proof of Peano’s fourth axiom, we have 

peano4 g ld(N, 0,succ(n)) -*{} [ne N] 

By {}-elimination and —^-introduction, we get 

X((z)case(peano4 ■ z)) g —<ld(N, 0, succ(a;)) 

We can then use V -introduction to get 

\nr(\((z)case(peano4 ■ z)) g ld(N, 0, succ(a;)) V —>ld(N, 0, succ(a;)) 
and the N-elimination rule therefore gives us 

natrec(n, inl(id(0)), ( x,y)inr(\((z)case(peano4 ■ z )))) g 

ld(N, 0, n) V —>ld(N, 0, n) 


Finally, by -►-introduction, 

A((n)natrec(n, inl(id(0)), ( x,y)\m{\{{z)case{peano4 ■ 2))))) 

€ £>ectdai/e(N,(n)ld(N,0,n)) 

So, we have derived a decision procedure for the predicate (n)ld(N, 0,n). 


21.5 Stronger elimination rules 

It is possible to formulate stronger versions of the elimination rules, for instance, 
the rule of strong E-elimination: 

Strong E - elimination 

ceE {A, B ) 

C(v) set [v g E(A, B)] 

d(x,y) g C((x,y)) [x g A, y g B(x), (x,y) =s (a,b) c true] 
split'(c, d) g C(c) 

The third premise is weaker than the corresponding premise in the ordinary rule 
for E-elimination in that the assumption (x, y) =t,(a,b) c true is added. The 
constant split has been replaced by the defined constant split'. This rule can be 
seen as a derived rule in the following way: 

Let 


c g E(T, B) 

C(v) set [veE(A,B)] 

d(x',y') g C((x',y')) \x' g A, y' g B{x'), (x',y') =t.(a,b) c true] 
We are going to use the ordinary E-elimination rule on c and the family 
C\u) = ( U =£ (A,B) c) —► C(u) 

So, assume x & A and y g B(x) and we want to find an element in 
C'({x t y)) = ((x,y) =e(a,b) c) C({x,y)) 
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Assume therefore that z £ ((x,y) = E (a,b) c). But then 
d(x,y) £ C({x, y)) 


and -►-introduction gives that 

Xz.d(x,y) £ ((x,y) =s(a,b) c) -> C((x,y)) 
thereby discharging the last assumption. E-elimination gives 

split(c, (x,y)Xz.d(x,y)) £ (c =e(a,b) c) -» C(c) 

thereby discharging the remaining two assumptions. Since we know that id(c) £ 
(c =e (a,b) c) we can use -►-elimination to finally conclude that 

split'(c, d) £ C(c) 


where 

split 7 (c, d) = apply(split(c, (x, y)Xz.d(x, y)), id(c)). 

Notice, that if the premises of the strong elimination rule hold then the 
value of split / (c, d) is equal to the value of split(c, d) which can be seen from the 
following computation steps: 

c => (a, b) Xz.dja, b ) =» Xz.dja, b ) 
split(c, (x,y)Xz.d(x,y)) =>Xz.d{a,b) d(a,b) =>q 

apply(split(c, (x,y)Xz.d(x,y)),\d(c)) =>q 

We can strengthen the elimination-rules for II, +, and the enumeration sets 
in an analogous way: 

Strong II-elimination 

c g n(A, B) 

C(v) set [v g n(A, B)] 

d{y) € C(X{y)) [y(x) £ B(x) [x £ A], c = n (a,b) Kv) true] 
funsplit'(c, d) £ (7(c) 

where 

funsplit^c, d) = apply(funsplit(c, (y)Xz.d(y)), id(c)) 

Strong H—elimination 
c£ A + B 

C(v) set [v£A + B] 

d(x) £ C(inl(a:)) [x £ A, c =a+b inl(x) true] 
e(y) € C(inr(y)) [y £ B, c = a +b inr (y) true] 
when '(c,d,e) £ C(c) 

where 


whence, d,e) = apply(when(c, (x)Xz.d(x), ( y)Xz.e(y )), id(c)) 
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Strong Bool-elimination 
b e Bool 

C(v) set [v e Bool] 
c € C(true) [b = Boo! true true} 
d e C'(false) [b =r 00 | false true] 
if (6, c, d) B C(bl 

where 

i f(b, c, d) = apply(if(6, A*.c, A z.d), id(6)) 
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Chapter 22 

Program derivation 


One of the main reasons for using type theory for programming is that it can 
be seen as a theory both for writing specifications and constructing programs. 
In type theory a specification is expressed as a set and an element of that set is 
a program that satisfies the specification. 

Programming in type theory corresponds to theorem proving in mathemat¬ 
ics: the specification plays the role of the proposition to be proved and the 
program is obtained from the proof. We will in this chapter formulate the rules 
of type theory as tactics, corresponding to constructing programs top down. 
The idea of synthesising programs from constructive proofs has been used e.g. 
by Manna and Waldinger [62] Takasu [106] and Constable and his coworkers at 
Cornell University [25]. 


22.1 The program derivation method 

As already has been mentioned, programming in type theory is like theorem 
proving in mathematics. However, since parts of the proofs are used in the actual 
construction of programs, the proofs have to be more detailed and formal than 
they usually are in mathematics. In this respect, derivations of programs in type 
theory are similar to proofs of mathematical theorems in a formal system. Being 
formal is also a necessity when dealing with complex problems since one then 
certainly need computer support. For the examples in this chapter the solutions 
are so simple that there are no problems in doing the derivations informally. 
But already in the solution of Dijkstra’s problem of the Dutch national flag 
using arrays [87], there are so many steps and so much book-keeping that it is 
appropriate to make the derivation in such a way that it could be checked by 
a computer. So, in order to illustrate the method, our example is carried out 
in such a detail that it should be straightforward to obtain a completely formal 
derivation. Differences between proofs in traditional mathematics and program 
derivations as well as the role of formalization are discussed by Scherlis and 
Scott [94]. 

The usual way of presenting a formal derivation, e.g. in text books on 
logic, is to go from axioms and assumptions to the conclusion. When deriving 
programs in type theory this would mean that you first start constructing the 
smaller parts of the program and then build up the program from these parts. 
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This is not a good programming methodology. Instead we want to use the 
top-down approach from structured programming [32]. So, instead of starting 
the derivation from axioms and assumptions, we will proceed in the opposite 
direction. We will start with the specification, split it into subspecifications 
and then compose solutions to these subproblems to a solution of the original 
problem. In the LCF-system [44] there is a goal directed technique for finding 
proofs in this style. 

Corresponding to the judgement 


a€ A 

we have the goal A which is achieved by an element a if we have a proof of a g A. 
Corresponding to each of the other forms of judgement, we have a goal which 
has the same form as the judgement and which is achieved if we have a proof of 
it. For instance the goal a = b g A is achieved if we have a proof of a = b g A. 
Notice that in general goals may depend on assumptions. The different methods 
that can be used to split a goal into subgoals are called tactics. 

22.1.1 Basic tactics 

The basic tactics come from reading the rules of type theory bottom-up. For 
example, the introduction rule for conjunction 

A true B true 
AkB true 


becomes, when viewed as a tactic: 

The goal 

AkB true 

may be split into the subgoals 


A true 


and 


B true 


We can describe the tactic in the following way: 

\AkB true by &-introduction 
[A true by ... 

[B true by ... 

L 

Similarly, the introduction rule for the cartesian product 


qg A b&B 
( a,b } g A k B 


can be read as a tactic: 
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The problem of finding a program that achieves the goal 

AxB 

can be split into the problem of finding a program a that achieves 
the goal 

A 

and the problem of finding a program b that achieves the goal 
B 

The goal AxB is then achieved by the program (a, b). 

When deriving a program from a specification, applying a tactic will give a 
part of the program one is in the process of constructing. In the case of the 
x-introduction tactic, one gets a part on pair-form. The x-introduction tactic 
can also be described in the following way: 

[AxB by x-introduction 
[A by ... 

L 3 a 

\B by ... 

[3 b 
l£ (a, b) 

This schematical way of describing a tactic can be extended to full derivations. 
It can also be used when a derivation is not yet complete and then give the 
structure of the derivation made so far as well as the structure of the program 
obtained at that stage. 

Another example is the rule for x-elimination: 

p £ A x B e(x, y) € C((x, y) [x £ A,y £ B] 
split(p, e) 6 C(p) 

we get the following x-elimination tactic in type theory: 

The problem of finding a program that achieves the goal 

C(P) 

can be replaced by proving that p £ AxB and the problem of finding 
a program e(x,y) that achieves the goal 

C{{x,y)) 

under the assumptions that x £ A and y £ B. 

The goal C(p) is then achieved by the program split (p, e). 

In our notation: 

\C(p) by x-elimination 
[AxB by ... 

[3p 

[x £ A,y £ B] 
r C({x,y)) by ... 

[9 e(x,y) 

|9 split(p, e) 
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In this way all rules of type theory may be formulated as tactics. This is also the 
approach taken in the system for type theory developed at Cornell University 
[25]. We give two more examples of translating rules into tactics by formulating 
the II-introduction rule and the List-elimination rule as tactics. Both tactics 
will be used in the derivation of a program for the problem of the Dutch flag. 
Corresponding to the II-introduction rule 

b(x) € B(x ) [x e A] 

X(b) e?fpr 

we have the tactic: 

[~(ILr e A) B(x) by II-introduction 
[x e A] 

\B(x) by ... 

1.3 b(x) 

1.3 m 

The List-elimination rule, 

l e List(T) 
aeC'(nil) 

b(x,y,z ) e C(cons(a;, y)) [x e A, ye List(A), z e C{y)\ 
listrec(Z, a, b) e C(l) 

becomes, when formulated as a tactic: 

\C(l) by List-elimination 
[List(A) by ... 

1.3 l 

rC(nil) by ... 

1.3 a 

[x e A, ye List(A), 0 e C{y)\ 

|"C(cons(a:, y)) by ... 

[9 b(x, y, z) 

[9 listrec(Z, a, b) 

22.1.2 Derived tactics 

If we have a proof of a judgement then we also have a derived tactic corre¬ 
sponding to the judgement. We can look at a tactic as another way of reading 
a hypothetical judgement. For instance, if we have a proof of the hypothetical 
judgement 

c(x, y) e C(x, y) [x e A, y e B(x)\ (Jl) 

then we can use the following tactic: 

\C(x,y) by Jl 
\ A by ... 

\b(x) by ... 

|3 y 

[3 c(x, y) 
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As a simple example, after having made the derivation 


\peAxB] 

[A by x-elimination 
\AxB by assumption 
|_9 p 

[x e A, y £ B] 

[A by assumption 

L 9 x 

[9 split(p, (x, y)x) = fst(p) 


which is a proof of the judgement 

fst(p) £ A \p £ AxB] (x — eZirnl) 


[p e AxB] 

[A by x-eliml 

Mp) 

If we had a mechanical proof checker, it would not be necessary to check the 
correctness of a derived tactic more than once. In an application of it, there 
is no need to go through each step in the proof since by the construction of a 
derived tactic (that it comes from a judgement) we know that if we apply it to 
proofs of the subgoals it always yield a proof of the goal. 


22.2 A partitioning problem 

In this section, we will derive a program for Dijkstra’s problem of the Dutch 
national flag [32]: Construct a program, that given a sequence of objects, each 
having one of the colours red, white and blue, rearranges the objects so that they 
appear in the order of the Dutch national flag. In type theory, the natural way 
of formulating this partitioning problem is to use lists. Our solution will then, 
we think, result in the simplest possible program for the problem; the program 
one would write in a functional language like ML. However, the program will 
not satisfy Dijkstra’s requirements concerning space efficiency, which is one of 
the main points of his solution. In [87] a similar problem is solved, using arrays 
instead of lists and following Dijkstra’s more sophisticated method. 

We will use the following general assumptions about the problem: We assume 
that A is a set and each element in A has a colour, i.e. there is a function 
colourfx) € Colour, where Colour is the enumeration set {red, white, blue}. We 
will also assume that A has a decidable equality. So we introduce the following 
assumptions: 

A set 

colour{x) £ Colour [ x £ A] 

eqd(A,x,y) £ {z £ Bool | z =b 0 oI true x= A y} [x £ A, y £ A] 
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We start by introducing the following definitions: 


Colouredlist(s) 
Reds 
Whites 
Blues 
append(h,l 2 ) 
h l 2 
occin(x, l) 
li@l 2 


List({x e A | colour{x) = Colour s » 

Colouredlist( red) 

Colouredlist(wh\te) 

Colouredlist( blue) 

listrec(Zi, I 2 , (x,y, z ) cons(x, z)) 

(yx&A) ld(N, occin(x,li), occin(x,l 2 )) 

listrec(Z, 0, (u, v,w) if eqd(A, x,u) then succ(w) else w ) 

append(li,l 2 ) 


We have here used a definition of permutation which requires the equality rela¬ 
tion on A to be decidable. This restriction can be removed, but the definition 
will then be more complicated. 

The specification can now be given by the set 

S = (IlZe List(A)) Flag(l) 


where 


Flag(l) = {(l', l", l"') e Redsx WhitesxBlues \ l l'@l"@l"'} 

using the notation {(x,y,z) € AxBxC \ P(x,y,z)} for the subset 
{u e Ax(BxC) | P(fst(u), fst(snd(u)), trd{u))} 
where trd is defined by 

trd = ( u)snd(snd(u )) 

Note that a program that satisfies this specification will give a triple of lists as 
output. To get a solution to Dijkstra’s formulation of the problem, these three 
lists should be concatenated. 

Deriving a program that satisfies the specification is nothing but finding a 
program which is a member of the set expressing the specification, or, if we 
think of the specification as a goal, to find a program that achieves the goal. 

The intuitive idea behind the proof is the following: If l is a list of red, 
white and blue objects then the problem of finding an element in Flag(l) will 
be solved by induction on l. The base case, i.e. when l is equal to nil, is solved 
by the partition (nil, nil, nil). For the induction step, assume that l is cons(x,y) 
and that we have a partitioning 2 of y and then separate the problem into three 
cases: 

1. x is red. Then (cons (x, fst(z)), snd(z), trd(z)) is a partitioning of the list 
cons (x,y). 

2. x is white. Then (fst(z), cons(x, snd(z)), trd(z)) is a partitioning of the list 
cons(x, y). 

3. x is blue. Then (fst(z), snd(z), cons(x, trd(z))) is a partitioning of the list 
consul/). 
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From this intuitive idea, it would not be much work to get, by informal rea¬ 
soning, a program in type theory which satisfies the specification. We want, 
however, to do a derivation which easily could be transformed to a completely 
formal derivation. In the derivation we will assume a few elementary properties 
about permutations and these properties will be explicitly stated as lemmas. 

We begin the derivation by assuming l e List(A) and then try to find a 
program which is an element of the set Flag(l). In other words, we apply the 
II-introduction tactic to the specification S, getting the subgoal 

Flag(l) [l 6 List(A)] 

From this problem we proceed by list induction on l, i.e., we split the goal 
into three subgoals, corresponding to the three premises in the List-elimination 
rule. Schematically, the derivation we have made so far is: 

|"(IIZe List(A)) Flag(l) by II-intro 
[l e List(^)] 

Gl: \Flag{l) by List-elim 

fList(^4) by assumption 
|9 1 

Base: \Flag{ nil) by ... 

[x e A, y e List(A), z £ Flag(y)\ 

Ind. step: \Flag(cor\s(x,y)) by ... 

So if we succeed to solve the two subgoals finding an element a which achieves 
the base case and finding an element b(x, y, z ) which achieves the induction step 
then we can complete the derivation: 

|"(IIZe List(A)) Flag(l) by II-intro 
[l 6 List(^)] 

Gl: \Flag(l) by List-elim 

fList(^4) by assumption 

:■ |9 1 

Base: \Flag(n\\) by ... 

[9 a 

[ifA, y £ List(A), z £ Flag(y)\ 

Ind. step: \Flag(cons(x,y)) by ... 

[9 b(x, y, z) 

[9 listrec (l,a,b) 

[9 A ((l) listrec(Z, a, b) 

Let us start with the base case in the induction. We have the goal 

Flag(n\\) = {(l 1 , l", l'") e Redsx WhitesxBlues | nil 

Following the intuitive idea for the proof, this goal is achieved by (nil, nil, nil). 
Formally, then, we have to show that (nil, nil. nil) £ Flag( nil). In order to do this, 
we apply the Subset /Triple introduction tactic which is the tactic corresponding 
to the following judgement: 

(a,b,c) e {(l',l",l'")eAxBxC | P(l',l",l'")} 

[a e A, b e B, c e C, P(a, b, c) true] 
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We leave out the derivation of this judgement. By List-introduction we know 
that nil satisfies the three subgoals Reds, Whites, Blues and then we have to 
verify the subgoal 

nil nil@nil@nil 


Lemma 1 nil « P nil@nil@nil 

Proof: The lemma follows from the fact that nil is an identity for @ and that 
permutation is reflexive: 

nil@nil@nil 
= { nil@nil = nil } 

nil 

«p { l «p l [l€ List(.A)] } 
nil 


□ 


So 

(nil, nil, nil) e Flag( nil) 

and we have solved the base-step. We can summarize the derivation made so 
far: 

f(II/e List(^4)) Flag(l) by II-intro 
[l e List(T)] 

Gl: \Flag(l) by List-elim 

[List(T) by assumption 

[3 l 

Base: Flag{n\Vj by Lemma 2 

[9 (nil, nil, nil) 

[x e A, y e List(A), z € Flag(y)\ 

Ind. step: \Flag(cor\s(x, y)) by ... 

L=> b (x, y, z) 

[9 listrec(Z, (nil, nil, nil), b) 

[9 X((l) listrec(Z, (nil, nil, nil), 6) 

where Lemma 2 is the following derived tactic: 

Lemma 2 (nil, nil, nil) e Flag( nil) 

Proof: This is a formal derivation of the lemma: 

\Flag{ nil) by Subset/Triple-introduction 
\Reds by List-intro 
|_3 nil 

[ Whites by List-intro 
|_9 nil 

\Blues by List-intro 

|_9 nil 

nil nil@nil@nil true by Lemma 1 
[9 (nil, nil, nil) 
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□ 


It now remains to achieve the induction step: 

Flag(cons(x,y)) = {(l',l",l"') e Redsx WhitesxBlues \ 
cons(a:,?/) l'@l"@l'"} 


under the assumptions 

l e List(T), x e A, ye List(A), z e Flag{y) 

We apply the Subset /Triple elimination tactic, which is the derived tactic (we 
leave out the derivation): 

\C{p) by Subset/Triple-elim 

\{{l',1" ,V") e AxBxC | />(/'./",/'")} by ... 

[IP 

\z' e A, z" e B, z'" e C, P(z!, z", z'") true] 

\C{{z',z",z"')) by ... 

L9 e{z', z", z'") 

|9 split 3 (p,e) 


We then get the two subgoals 

1. Flag(y) = {(l 1 , l", l'") e Redsx WhitesxBlues \ y « P 

2. \z' e Reds,z" e Whites, z'" e Blues, y sa P z'@z"@z"' true] 

Flag(cons(x,y)) 

The first subgoal is achieved by 2 and the second subgoal says that the problem 
is to find a program which is an element of Flag(cons(x,y)) under the extra 
assumptions about z',z",z"'. Following the intuitive proof idea, we divide the 
remaining subgoal into three cases: when the element x is red, when it is white 
and when it is blue. From one of the assumptions done earlier we know that 

colour{x) e Colour [a: e A] 

so it is appropriate to apply the Colour-elimination tactic: 

\C(p) by Colour-elimination 
[~Colour by ... 

[Bp 

[colouiix) = colour red l 
r C(p) by ... 

[9 a 

[colour{x) = Colour white] 
r C(p) by ... 

L 3 b 

[colour{x) = Colour blue ] 
r C(p) by ... 

[9 C 

L9 case ColouM a , M 
We then get the following derivation: 
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\Flag(cons(x,y)) by Colour-e limination 
[ Colour by assumption 
[9 colour(x) 

[colour(x) = Colour red ] 

\Flag(cons(x,y) by ... 

[colour( x) = Colour wW,te \ 

\Flag(cons(x,y) by ... 

[colour(x) = Colour blue l 

\Flag(cons(x,y) by ... 

That the program 

(cons (x,z'),z" ,z"') 

achieves the red case is seen by the following derivation, which we call Al. 
\Flag{cons{x,y)) = 

{{l',1",V") G Redsx WhitesxBlues \ cons (x,y) l'@l"@l"'} 

by Subset/Triple-intro 

\Reds= List({a;eA | colour(x ) = red}) by List-intro 
\{xgA | colour(x) = red} by subset-intro 
[A by assumption 

[9 X 

[ colour{x) ~ red true by assumption 

L 

[9 X 

\{xgA | colour(x) = red} by assumption 
[9 Z 1 

[9 cons(a;, z') 

\ Whites by assumption 
1.3 z" 

\Blues by assumption 

L9 Z m 

[cons {x,z')<mz”@z'" « F cons (x,y) true by Lemma 3 
[9 (cons (x,z'),z",z" r ) 

The following lemma has been used in the derivation. 

Lemma 3 If A is a set, x G A, y G List(A), z’ G List(A), z" G List(A), 
z'" G List(A) and y z'@z"@z"' true, then 

cons (x,z')@z”@z'" cons(a:,j/) true 

Proof: cons(x, z')@z"@z'" 

= { List — equality } 

cons(a;, z'@z"@z"') 

~p { z'@z"@z'" ~p y,cons(x, z) cons(x,y) [x G A, z ~p y true] } 
cons(x, y) 

□ 


We can achieve the remaining subgoals in a similar way, letting A2 and A3 
correspond to Al in the white and blue cases, respectively: 
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[Flag(cons(x,y)) by CWour-elimination 
[ Colour by assumption 
[9 colour(x ) 

[■ colour{x ) = Colour red ] 

\Flag(cor\s(x, y)) by A1 
[9 (cons (x,z'),z",z"') 

[colour{x) = Colour white] 

\ Flag(cons(x, y) by A2 
[9 (z 1 , cons(a;, z"), z'") 

[colourix) = Colour blue ] 

\Flag(cor\s(x, y) by A3 
[9 (z' ,z" ,cons(x,z"')) 

Combining the solutions of the last three subproblems gives us that the goal 
is achieved by 

case Colour( coloui i x )> 

(cons(x, z'),z", z"'), 

(z', cons(a;, z"),z"'), 

( z ', z n , cons(x, z'"))) 

We can now form a program that achieves the induction step: 
split 3 (A 

(z 1 , z", z"')casz Colour {colour{x), 

(cons(x, z'),z", z'"), 

(z r , cons(a:, z"), z'"), 

{z’, z", cons(x, z'")))) 


G1 is then achieved by 


listrec(Z, (nil, nil, nil) 

(a?, 2/, ^)split 3 (^, 


,z"')case C olour( coloui i x )’ 

(cons(x, z'),z", z"’), 

( z cons(x, z"),z"’), 
(z', z", cons(x, z'"))))) 


And, finally 

A((Z) listrec(Z, (nil, nil, nil) 

(x,y,z)sp\it 3 (z, 

(z r , z", z'")case Colour (colour(x), 

(cons (x,z'),z",z'"), 

{z'i cons(x, z"), z 1 "), 

(z', z", cons(x, z'")))))) 

is a program that achieves our original problem and consequently also a program 
that satisfies the specification. 

The whole derivation is described in figure 22.1. 
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f(II/e List(^4)) Flag(l) by II-intro 
[l e List(A)] 

Gl: \Flag(l) by List-elim 

fList(vl) by assumption 

Base: [F7ci<7(nil) by Lemma 2 

[9 (nil, nil, nil) 

[xe A, ye List(A), z e Flag(y)] 

Ind. step: \ Flag(cons(x, y)) by Subset/Triple-elim 

r Flag(y) = 

e Redsx WhitesxBlues \ y « P by ass 

\z' e Reds, z" e Whites, z m e Blues, y « P z'@z"@z'" true} 
\Flag(cor\s(x,y)) by Colour-elimination 
|~ Colour by assumption 
[9 colour(x) 

[colour{x ) = Colour red ] 

\Flag(cons(x,y)) by A1 
(cons {x,z'),z",z'") 

[colourix) = Colour white] 

\Flag(cons(x, y) by A2 
[9 (z 1 , cons(x, z"), z'") 

\colourix ) = Colour blue ] 

\Flag(cons(x, y) by A3 
[9 {z' ,z" ,cons{x,z'")) 

L9 case Colour (colour(x), 

(cons(a;, z'),z", z'"), 

( z' , cons(x, z"), z'"), 

(z ; , z", cons(a;, z'"))) 

[9 split 3 (.2, 

(z 1 , z", z'")case Colour (colour(x), (cons(x, /),/, z" r 
( z ', cons(x, z"), z'"), 

\z', z", cons(x, z'")))) 

[9 listrec(Z, (nil, nil, nil), 

(£, Vi ^)split 3 (-2, 

(z', z", z'”)case Colour (colour{x) , (cons(a;, z% z" 
[z!, cons(x, z"),z"'), 

\z' ,z" ,cons{x,z"'))))) 

[9 A ((l) listrec(Z, (nil, nil, nil), 

(z,t/,2:)split 3 (2:, 

(z\ z", z '")case q 0lour {colour{x), (cons(x, z'),z", 

(z ', cons(x, z"),z'"), 

\z', z", cons(x, z'"))))) 


Figure 22.1: Derivation of a program for the Dutch 



Chapter 23 

Specification of abstract 
data types 


During the last 10 years, programmers have become increasingly aware of the 
practical importance of what Guttag [47] and others have called abstract data 
type specifications. A module is a generalization of an abstract data type. It is 
a tuple 

(Ai,A 2 ,...,A n ) 

where some A* are sets and some are functions and constants defined on these 
sets. It is a dependent tuple in the sense that the set that a component belongs 
to in general can depend on previous components in the tuple. The classical 
programming example of a module is a stack which is a set together with some 
operations defined on the set. An example from mathematics is a group 

(G,*,inv,u) 

where G is a set, * g G xG —> G, inv e G —> G, u e G and certain relationships 
hold between the components. 

In this section, we will show how to completely specify modules in type 
theory using the set of small sets and the dependent sets. We will have a fifth 
reading of the judgement A set: 

A is a module specification 

and also a fifth reading of a £ A : 

a is an implementation of the module specification A 

By an abuse of notation, we will not distinguish between sets and their 
codings in a universe. We will therefore write A instead of A and not use the 
function Set explicitly. It is always obvious from the context if an expression 
refers to a set or its corresponding element in U. 

A simple example is the specification of a stack which in type theory is 
expressed by the following set: 


179 




180 


CHAPTER 23. SPECIFICATION OF ABSTRACT DATA TYPES 


(: EStackN 6 U) 

(Eempty G StackN) 

(Epush G N x StackN —> StackN) 

(SpopG StackN —> StackN) 

(EtopG StackN —► N) 

(nteStacfcJV)(nneN) 

([pop-empty = stackN empty] x 
[pop- (pws/l- (n,i)) = StackN t] X 
[top • empty = stackN 0] x 
[top • (pus/i • (n, t)) =n nj) 

Using the logical notation for some of the sets, the specification can be 
reformulated to something that resembles an algebraic specification [47] but 
with a completely different semantic explanation: 

(3StackN € U) 

(3 empty G StackN) 

(3 push G N x StackN —> StackN) 

(3 pop G StackN —> StackN) 

(3 topG StackN —*• N) 

(Vt G StackN) (Vn G N) 

([pop-empty = stackN empty] k 
[pop ■ (push ■ (n,t)) =StackN t] k 
[top ■ empty = stackN 0] & 

[top • (pus/i • (n, t)) =n n]) 

The semantic explanation of this set is an instance of the general schema for 
explaining the meaning of a set in terms of canonical expressions and their 
equality relation. The canonical expressions of the set (EStackN G U) B\ are 
ordered pairs (st,bi), where st G U and b- t G B\ [StackN := st]. Since B t is also 
a S-set, the canonical objects of B\ must also be ordered pairs (e.s, 62), where 
es G Set (st) and 62 G B 2 , and so on. If each part of the set is analyzed with 
respect to its semantic explanation, one can see that each member of the set 
must be equal to a tuple: 

(st, es,pu,po, to,p) 

where 

(a ,..., b, c) = (M:») 

and 


st G U 
es G Set (st) 

pu G N x Set (st) —> Set(sf) 
po G Set (st) —► Set(st) 
to G Set(sf) —> N 

p G (VtGSet(st))(VnG N) [po • es = Typ e (st) es] x [...] x [...] x [...] 

Notice that the first component is an element in the set of small sets. This is of 
course a limitation, we would like to allow an arbitrary set. This could be done, 
but then we must use something like a E-type-forming operation on the level of 
types. The last judgement expresses that st, es, pu and to have the properties 
required for the stack operations. So the semantics of the specification is given 
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in terms of the canonical expressions of the set, or, in other words, in terms of 
the correct (canonical) implementations of the specification. The specification 
expresses requirements on implementations of the specification and it is, of 
course, possible to have requirements which cannot be satisfied. In type theory, 
a specification with such requirements does not cause any harm; the result is 
just that it is impossible to find an implementation for it. It is sometimes 
even possible to show that a specification never can be satisfied by proving it 
equivalent to the empty set. 

In the stack specification given above, we specified modules which are equal 
to objects: 

| st,es,pu,po , to,p) 

where the last component 

P e (VseSet(sf))(VneN)[po-es = Set(at) es] x [... ] x [...] x [...] 

only contains information obtained from the proof that the previous compo¬ 
nents of the tuple have the properties required for a stack. This component is 
computationally uninteresting, and if we use a subset instead of a E-set we have 
a specification of a stack without the irrelevant last component: 

(E StackN eU) 

(Eempty e StackN) 

(Epush € N x StackN —> StackN ) 

(E pop € StackN —> StackN ) 

{top e StackN —> N | 

(Vt 6 StackN) (Vn € N) 

{[pop- empty =stackN empty] & 

[pop ■ (push- (n,t)) = StackN t] k, 

[top ■ empty =stackN 0] & 

[top ■ (push ■ (n,t)) = N n])} 

As expected, this is a specification of a module which is equal to a 5-tuple: 

( st , es,pu,po, to) 

whose components have the properties we require for a stack. 

A small problem with this approach is that the equality we get between 
stacks is the equality of the implementation of the stack. At the same time as 
we specify a stack we would like to have the possibility to express that two stacks 
are considered equal when they are observationally equal, i.e. when they cannot 
be distinguished by any operation defined on stacks. This needs something like 
a quotient set forming operation, which redefines the equality on a set. This 
would be a major change in the set theory and we will not explore it further 
here. 


23.1 Parameterized modules 

Specifications of parameterized modules, such as a stack of A elements, for an 
arbitrary set A, are neatly handled in type theory. The parameterized module 
is specified by means of the II-set former. The specification is the set 
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STACK = 

(IlieU) in logical notation: (VA £ U) 

(:EStack e U) 

(Eempty £ Stack ) 

(Epush £ Set(A) x Stack —» Stack) 

(Epop e Stack —> Stack) 


The canonical expressions of a set (II A £ U) B are functions A x.s, such that 
whenever they are applied to an object C £ U, they will yield an object in 
the set B[A := C\. This means that an implementation of the specification 
STACK is a function, which when applied to an element A of the set U returns 
an implementation of a stack of A elements. So, if st £ STACK, then st ■ N is a 
module of stacks of natural numbers and st ■ N x N is a module of stacks of pairs 
of natural numbers. These modules can then be decomposed in the same way 
as earlier to get their components. 


23.2 A module for sets with a computable equal¬ 
ity 

The module 

is a computable equality if X is (a coding of) a set and e is a boolean function 
computing the equality defined on X, i.e. 

e • ( x, y) =Booi true, if and only if x =x y 

This can be specified by the set 

CompEq = 

(EXeU) 

{e e A x I -* Bool I 

(Vy,z£X)([e-(y,z) = Boo i true]<& [y = x z ])} 

Notice that the specification expresses exactly the requirements on the function 
e, an arbitrary boolean valued function will not do! 

We can now use this module specification to define a module FSET for finite 
sets: 

FSET = 

(IIA £ CompEq) 

(EFSet £ U) 

(Eeset £ FSet) 

(Eadd £ A 1 x FSet —> FSet) 

{mem £ A\ x FSet —> Bool \ 

(Vf e FSet) (Vo e Ai) (V6 e Ai) 

([mem ■ {a, eset) =Booi false] & 

[mem ■ (a, add ■ (b, t)) = b 0 oi 

if A 2 ■ (a,b ) then true else mem ■ (a,t)]} 
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An object of this set is a function which when applied to an object {A, e) in 
CompEq yields an implementation of FSET for the particular arguments cho¬ 
sen. Note how the II set-former is used for specifying a dependent function set, 
in which the elements are functions for which the value of the first arguments 
determines which set the second argument should be a member of. 
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Constants and their arities 


A.l Primitive constants in the set theory 


Name 

Arity 

Can/Noncan 

Type 

0 

0 

canonical 

N 

succ 

0^0 

canonical 

N 

natrec 

0®0®(0®0—»0)—»0 

noncanonical 

N 

nil 

0 

canonical 

List (A) 

cons 

0®0—»0 

canonical 

List(A) 

listrec 

0®0®(0®0®0—»0)—»0 

noncanonical 

List(A) 

A 

(o^o)-^o 

canonical 

A—>B, II(A, B) 

apply 

0®0—»0 

noncanonical 

A^B, II(A, B) 

funsplit 

0®(0^0)^0 

noncanonical 

A^B, II(A, B) 

0 

0®0—»0 

canonical 

A x B,T,(A,B) 

split 

0®(0®0—»0)—»0 

noncanonical 

A x B,E(A,B) 

ini 

0^0 

canonical 

A + B 

inr 

0^0 

canonical 

A + B 

when 

0®(0^0)®(0^0)-^0 

noncanonical 

A + B 

sup 

0®(0^0)^0 

canonical 

W(A, B) 

wrec 

0®(0®(0^0)®(0^0)^0)^0 

noncanonical 

W(A, B) 

tree 

0®(0^0)^0 

canonical 

Tree(A, B, C, d) 

treerec 

0®(0®(0^0)®(0^0)^0)^0 

noncanonical 

Tr ee(A,B,C,d) 


197 




198 


APPENDIX A. CONSTANTS AND THEIR ARITIES 


Name 

Arity 

Can/Noncan 

Type 

id 

0 

canonical 

ld(A, a, b) 

idpeel 

0®(0^0)^0 

noncanonical 

ld(A, a, b) 


0 

canonical 

U 

N 

0 

canonical 

U 

List 

0^0 

canonical 

U 

id 

0®0®0—»0 

canonical 

U 

+ 

0®0—»0 

canonical 

U 

n 

0®(0^0)^0 

canonical 

U 

s 

0®(0^0)^0 

canonical 

U 

w 

0®(0^0)^0 

canonical 

U 

urec 

(se page 93) 

noncanonical 

U 


A.2 Set constants 


Name 

Arity 


0 

N 

0 

List 

0^0 

n 

0®(0^0)-^0 

-> 

0®0—»0 

s 

0®(0—»0)—»0 

X 

0®0—»0 

+ 

0®0—»0 

Id 

0®0®0—»0 

W 

0®(0^0)^0 

Tree 

0®(0—»0)®(0®0—»0)®(0®0®0—»0)—»0—»0 

U 

0 

{|} 

0®(0—»0)—»0 






Appendix B 


Operational semantics 


The following is a formal description of the operational semantics of the poly¬ 
morphic set theory. We use the notation a => 6 to mean that the program a 
computes to the value 6. We start with programs on constructor form, which 
already are evaluated, then we continue with programs on selector form. 


*i =>ii 

0 =>0 

cons(d, e) =>cons(d, e) 

inr(e) =>inr(e) 

a =>ii h =>g 

succ(d) =>succ(d) nil =>nil 

A(c) => A(c) inl(d) => inl(d) 

(c,d) =>{c,d) sup(c, d) =>sup(c, d) 

a => i n b n =>q 

case n (a, &i, ..., b n ) =>q 

case n (a, 6i,... ,6 n ) =>q 

a =>0 b =>q 

a =>succ(d) c(d, natrec(d, b, c)) =>q 

natrec(a, b, c) =><? 

natrec (a, 6, c) =>q 

a => nil b => q 

a =>cons(d, e) c(d, e, listrec(e, b, c)) =><? 

listrec(a,6, c) =>g 

Iistrec(a,6, c) =>g 

a => A(c) c(b) => q 

a => A(c) 6(c) 

apply(a,6) =>q 

funsplit(a, 6) =><? 

a => inl(d) 6(d) =► q 

a =>inr(e) c(e) 

when (a, 6, c) 

when(a, 6, c) =><? 

a => (c, d) b(c, d) =>q 

a =>sup(c, d) 6(c, d, (x)wrec(d(x) , 6)) =»g 

split(a, b) => g 

wrec(a,6) =>q 
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APPENDIX B. OPERATIONAL SEMANTICS 


B.l Evaluation rules for noncanonical constants 


The following is an informal description of the operational semantics of type 
theory. Only the rules for the selectors are given, since each expression on 
constructor form is already evaluated. Let a; be a variable and a, b, c, d and e 
expressions of suitable arity. 


Expression 


Computation rule 

case n (a,6i, ...,b n ) 

1 . 

Evaluate a to canonical form 

where a £ |ti,... ,i n } 

2 a. 

If the value is of the form i\ 
then continue with b-\ 


2 b. 

If the value is of the form i2 
then continue with &2 


2 u. 

If the value is of the form i n 
then continue with b n 

natrec(a, b, c) 

1 . 

Evaluate a to canonical form 


2 a. 

If the value is of the form 0 
then continue with b 


2 b. 

If the value is of the form succ(ci) 
then continue with c(d, natrec(d, b, c)) 

listrec(a, b, c) 

1 . 

Evaluate a to canonical form 


2 a. 

If the value is of the form nil 
then continue with b 


2 b. 

If the value is of the form consfd, e) 
then continue with c(d, e, listrec(e, b , c )) 

apply(a, b) 

1 . 

Evaluate a to canonical form 


2 . 

If the value is of the form A(c) 
then continue with c(b) 

funsplit(a, b) 

1 . 

Evaluate a to canonical form 


2 . 

If the value is of the form A(c) 
then continue with 6(c). 

split(a, b) 

1 . 

Evaluate a to canonical form 


2 . 

If the value is of the form (c, d) 
then continue with 6(c, d) 






B.l. EVALUATION RULES FOR NONCANONICAL CONSTANTS 


Expression 


Computation rule 

when(a, b, c) 

1 . 

Evaluate a to canonical form 


2 a. 

If the value is of the form inl(d) 
then continue with b(d) 


2 b. 

If the value is of the form inr(e) 
then continue with c(e) 

wrec(a, b ) 

1 . 

Evaluate a to canonical form 

2 . 

If the value is of the form sup(c, d) 
then continue with b(c, d , (x)wrec(d(x), b)) 




